On Tue, Sep 10, 2013 at 2:36 PM, Ted Lemon <Ted.Lemon@xxxxxxxxxxx> wrote:
On Sep 10, 2013, at 2:19 PM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:So I run _javascript_ provided by Comodo to generate the key pair. This means that my security depends on my willingness and ability to read possibly obfuscated _javascript_ to make sure that it only uploads the public half of the key pair.
> You go to a Web page that has the HTML or _javascript_ control for generating a keypair. But the keypair is generated on the end user's computer.
I didn't say it was pretty. But it is subject to exactly the same potential compromise a proprietary PGP is.
The problem is not merely that the CA might obtain the private key. A compromised key generation mechanism could leak bits of the seed in the modulus.
The problem is lack of transparency in key generation and that is common to all email security programs right now.