Generation of keys.

[Lennart Filutowski]

Hi everyone!

I have been assigned a task to develop a webmail with the support for
enc/dec of email and attachments. Now one of the features is that you should
be able to create a keypair through the webpage. Everywhere I get a big
nono, as soon as I say serverside generation of keys. But is this solution
not safer than the alternative..

This is the setup: A server that is managed by qualifyed security personel.
On this server we have a hardware number generator attached. The passwords
and userinformation used to create the keys are sent through a secure SSL
connection. The private key does never leave the server.

Or the alternative: A regular machine managed by the user, downloads
software to create a keypair with psuedo random numbers and then uploads
these through a secure SSL connection.

I really don't know if I should use gpg to generate the keys, but I was
planing to use it to enc/dec the messages and attachments atleast. As for
the keygeneration I am not really sure if I should start the a development
of one or if there are anything useful out there that I could use.

What are ppls thoughts on this? Is there a possibility to run gpg using a
hardware random number device without to much poking in the source..?
Comments and thoughts are welcome. Thanks guys.

// Lennart A Filutowski