I think he was suggesting that, instead of sending the private key to this web server, the check they're doing could be implemented client-side, thus avoiding the need for the key to transit the wire.
I haven't been able to access the site though, so I may be way off in my understanding of what it does.
Sending it over HTTPS at least narrows down the recipient to.. who it's intended for. And I wasn't suggesting encrypting and then sending it to them, instead perform the check on the client side in a way that no information is ever sent back to their server; using the browser as a platform to run an "app".
I don't condone this at all, but if they're adamant about providing this service they should at least try and make it less damning than it already is.
Me: I wanted to know more about your certificate key matcher isn't the private key always meant to remain... private?
Emanuele: Yes, it should. We offer the tool to help verify the correspondence SSL certificate it is lost.
Me: But it would be sent over HTTP and viewable to anyone along the network.
Emanuele: The page can also be accessed through HTTPS.
Me: I think it should be enforced. Also something like this should be done client side. Perhaps using crypto.js
Emanuele: OK, I will pass your comment to our General manager.