Generation of keys.
lennart at x3m-solutions.com
Thu Feb 5 19:13:29 CET 2004
I have been assigned a task to develop a webmail with the support for
enc/dec of email and attachments. Now one of the features is that you should
be able to create a keypair through the webpage. Everywhere I get a big
nono, as soon as I say serverside generation of keys. But is this solution
not safer than the alternative..
This is the setup: A server that is managed by qualifyed security personel.
On this server we have a hardware number generator attached. The passwords
and userinformation used to create the keys are sent through a secure SSL
connection. The private key does never leave the server.
Or the alternative: A regular machine managed by the user, downloads
software to create a keypair with psuedo random numbers and then uploads
these through a secure SSL connection.
I really don't know if I should use gpg to generate the keys, but I was
planing to use it to enc/dec the messages and attachments atleast. As for
the keygeneration I am not really sure if I should start the a development
of one or if there are anything useful out there that I could use.
What are ppls thoughts on this? Is there a possibility to run gpg using a
hardware random number device without to much poking in the source..?
Comments and thoughts are welcome. Thanks guys.
// Lennart A Filutowski
More information about the Gnupg-users