At 07:04 PM 5/26/02, you wrote:
Stand alone cryptography is best. I enjoy sealing my personal letters in an envelope. I am uncomfortable entrusting that process to a third-party, or to the mailman. I am similarly uncomfortable entrusting e-mail encryption to an embedded system and cached authentication systems.
And I prefer key generation when not online to a facility that may implement various operations like: "The "Internet X.509 Certificate Request Message Format" Internet-draft that defines certain functions between a Certificate Authority (such as VeriSign) and the user's machine that generates the key pair, including certain options for "Proof of Possession of Private Key" (POPOPrivKey) during the online session to generate keys and obtain an X.509 S/MIME certificate: "POPOPrivKey ::= CHOICE { thisMessage [0] BIT STRING, -- posession is proven in this message (which contains the private -- key itself (encrypted for the CA))" .. and .. "PKIArchiveOptions ::= CHOICE { encryptedPrivKey [0] EncryptedKey, -- the actual value of the private key keyGenParameters [1] KeyGenParameters, -- parameters which allow the private key to be re-generated archiveRemGenPrivKey [2] BOOLEAN } -- set to TRUE if sender wishes receiver to archive the private -- key of a key pair which the receiver generates in response to -- this request; set to FALSE if no archival is desired."