On Tue, Sep 10, 2013 at 2:36 PM, Ted Lemon
<Ted(_dot_)Lemon(_at_)nominum(_dot_)com> wrote:
On Sep 10, 2013, at 2:19 PM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com>
wrote:
You go to a Web page that has the HTML or Javascript control for
generating a keypair. But the keypair is generated on the end user's
computer.
So I run Javascript provided by Comodo to generate the key pair. This
means that my security depends on my willingness and ability to read
possibly obfuscated Javascript to make sure that it only uploads the public
half of the key pair.
I didn't say it was pretty. But it is subject to exactly the same potential
compromise a proprietary PGP is.
The problem is not merely that the CA might obtain the private key. A
compromised key generation mechanism could leak bits of the seed in the
modulus.
The problem is lack of transparency in key generation and that is common to
all email security programs right now.
--
Website: http://hallambaker.com/