> On Jan 7, 2016, at 4:13 PM, Mouse <mo...@rodents-montreal.org> wrote: > >>> I don't trust the vendor's internal security to keep the key from >>> leaking and I don't trust the vendor's HR security to prevent >>> malware authors from making it to the inside, and I *sure* don't >>> trust the vendor to resist a request from law enforcement [...] >> I donâ¿¿t know if itâ¿¿s typical or not, but every company that >> Iâ¿¿ve worked for that has managed crypto-keys has taken key security >> *very* seriously. > > I find that easy to believe. However: > > (1) "[E]very company [you]'ve worked for" is almost certainly a heavily > biased sample; if you have a tenth the clue you appear to, you > would stay away from the dodgier ones.
Probably. ;-) > > (2) Taking key security seriously is a very different thing from being > good at key security. (They probably correlate positively, but not > nearly as strongly as one might wish.) > Agree. In the cases I’m aware of they do both. ;-) TTFN - Guy
