Good point. For SSL certificates, and many other security related services you always ultimately trust some strangers, who sometime happen to use names such as "Trusted Certificate Authority" which normally should read "Stranger Stranger Stranger".
What would be the alternative, to find a "Trusted Certified Code Generator Authority"?
Edit: for example Bitcoins, Satoshi and Bitcoin Exchanges.
The generator is using a version AES FPE (BPS) standards as I see, so it's kind of peer-reviewed.
There's a vast gulf between SSL and a third-party promo code generator. The main difference being the number of professionals putting time and effort into SSL standards and the global uptake of those standards. Trust is earned.
To say something as well established as a 'Trusted Certificate Authority' equates to 'Stranger Stranger Stranger' is slightly erroneous. I may not know them personally, but to all intents and purposes my browser is incredibly familiar with the technology and has been for generations. That trust has been earned.
I've no idea what the process was for SSL to become to central, but it'd be a good example of how to reach that position with something like a promo code generator. I'd imagine a lot of time being peer reviewed, worked on collaboratively and if it's ever misused strong evidence of hotfixes in new iterations. A a track record of legitimacy. Of earned trust.
You're right and indeed the promo code generator uses a hardened version of the proposed NIST standard for FPE, called BPS. It's the result of vast academic research since 1950s, on how to shuffle, generate, unique random permutations within an arbitrary set.
What would be the alternative, to find a "Trusted Certified Code Generator Authority"?
Edit: for example Bitcoins, Satoshi and Bitcoin Exchanges. The generator is using a version AES FPE (BPS) standards as I see, so it's kind of peer-reviewed.