perhaps you remember the Comodo CA fraud problem? http://arstechnica.com/security/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question/
/bill On 10September2013Tuesday, at 14:47, John R Levine wrote: >>> You go to a Web page that has the HTML or Javascript control for generating >>> a keypair. But the keypair is generated on the end user's computer. >> >> So I run Javascript provided by Comodo to generate the key pair. This >> means that my security depends on my willingness and ability to read >> possibly obfuscated Javascript to make sure that it only uploads the public >> half of the key pair. > > I think we're entering the tinfoil zone here. Comodo is one of the largest > CAs around, with their entire income depending on people paying them to sign > web and code certs because they are seen as trustworthy. > > How likely is it that they would risk their reputation and hence their entire > business by screwing around with free promo S/MIME certs? > > Regards, > John Levine, [email protected], Taughannock Networks, Trumansburg NY > "I dropped the toothpaste", said Tom, crestfallenly.
