A quick question for all you security-savvy people. Our IT instructor has asked the class to sign up for verisigns' 60-day trial of a class 1 digital id.

I also understand that a well (poorly?) written activeX applet can grab my key basically without my knowledge (to speak nothing of the other myriad holes in win98/95)

My question is, where the hell is the private key kept on the users box? How is it protected against attack?

It's protected by Microsoft asserting that it's protected. There's also some sort of attempt at encryption (easily broken, see http://www.cs.auckland.ac.nz/~pgut001/breakms.txt), but in any case there are enough security holes there that anything which manages to run on your system (ActiveX, as you've mentioned) can grab your keys without a lot of trouble. Peter.