There's readily available examples of crypto software generating key pairs on the client end, and never exposing the private key to the server - GPG/PGP, OpenSSL, tarsnap - and the OpenSSL libraries are used by a whole bunch of other software too (encfs, browsers, web servers, CSR generation…)
Any "crypto" which doesn't do secure keygen on the client for "at rest" data storage is now significantly more suspect than before these revaluations. You can explain away whatever you like in terms of "usability" or "most users don't care", but now manyof us are going to read any excuses as "Yeah, the US government has got to our CEO… And he's not gonna be the next Qwest guy…"
Any "crypto" which doesn't do secure keygen on the client for "at rest" data storage is now significantly more suspect than before these revaluations. You can explain away whatever you like in terms of "usability" or "most users don't care", but now manyof us are going to read any excuses as "Yeah, the US government has got to our CEO… And he's not gonna be the next Qwest guy…"