On Tue, Sep 10, 2013 at 1:18 PM, Ted Lemon
<Ted(_dot_)Lemon(_at_)nominum(_dot_)com> wrote:
On Sep 10, 2013, at 12:32 PM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com>
wrote:
The CA NEVER ever gives the user the key in any of the systems I have
worked on.
This appears to be untrue.
Comodo offers that exact service today.
https://secure.comodo.com/products/!SecureEmailCertificate_Signup
The Comodo service generates the key pair for you. This means that they
have your private key. We would hope that they would behave responsibly,
but we don't have the assurance we would have if we generated the key pair
and sent them only the public half.
You go to a Web page that has the HTML or Javascript control for generating
a keypair. But the keypair is generated on the end user's computer.
The service could send you an ActiveX keygen control with a backdoor but I
am not on Windows right now. I generated the keypair on Chrome and I have
all runtime objects turned off.
The CA returns the signed certificate to you, but that is the public key
part.
--
Website: http://hallambaker.com/