On Tue, Sep 10, 2013 at 2:36 PM, Ted Lemon <[email protected]> wrote:
> On Sep 10, 2013, at 2:19 PM, Phillip Hallam-Baker <[email protected]> > wrote: > > You go to a Web page that has the HTML or Javascript control for > generating a keypair. But the keypair is generated on the end user's > computer. > > So I run Javascript provided by Comodo to generate the key pair. This > means that my security depends on my willingness and ability to read > possibly obfuscated Javascript to make sure that it only uploads the public > half of the key pair. > I didn't say it was pretty. But it is subject to exactly the same potential compromise a proprietary PGP is. The problem is not merely that the CA might obtain the private key. A compromised key generation mechanism could leak bits of the seed in the modulus. The problem is lack of transparency in key generation and that is common to all email security programs right now. -- Website: http://hallambaker.com/
