[cookiecaper]

This is a very dicey subject. I think it's best to keep it loose as long as possible. Introducing a regulatory body into any field is perilous, but something as fast moving as software and security would be frightening. What happens when the regulation is that you have to use the algorithm that was cracked last month? Eek.

Voluntary, socially-enforced customs are better. Things like the MPAA rating system have successfully staved off government intervention. Such standards are much more flexible.

We already have this de-facto via TLS and the browser's angry messages if you don't comply with their expectations, but it'd be interesting if browsers started running a more thorough security verification program and giving preferential treatment to sites that implemented it.

That is also scary because it centralizes more control in browser manufacturers (which, today, means Google almost as much as it meant Microsoft in the oughts). But still better than the government I guess, and blocking a site in software is much more motivating than the risk of a fine for non-compliance.