To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.
(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)
You log into your email provider, which asks your browser to generate a key. Your email provider signs the key, and your browsers stores it.
There's no single keyair that you're totally dependent on.