>> I don't trust the vendor's internal security to keep the key from
>> leaking and I don't trust the vendor's HR security to prevent
>> malware authors from making it to the inside, and I *sure* don't
>> trust the vendor to resist a request from law enforcement [...]
> I donâ¿¿t know if itâ¿¿s typical or not, but every company that
> Iâ¿¿ve worked for that has managed crypto-keys has taken key security
> *very* seriously.
I find that easy to believe. However:
(1) "[E]very company [you]'ve worked for" is almost certainly a heavily
biased sample; if you have a tenth the clue you appear to, you
would stay away from the dodgier ones.
(2) Taking key security seriously is a very different thing from being
good at key security. (They probably correlate positively, but not
nearly as strongly as one might wish.)
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mo...@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
