Identity-based cryptography can greatly reduce the complexity of sending encrypted messages over the Internet. However, it necessarily requires a private-key generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communications. Although a distributed private-key generator has been suggested as a way to mitigate this problem, to date there have been no practical implementations provided for one. This paper presents the first realistic architecture and an implementation for a distributed private-key generator for use over the Internet.We improve the adversary model in the proactive verifiable secret sharing scheme by Herzberg et al. and define master-key modification and secret share recovery protocols in our new model. Our periodic master-key modification achieves forward secrecy of the master key; this feature has been missing in other proactive security schemes, but is of great importance in identity-based applications. Recognizing the utility of modifying the set of nodes and the security threshold in a distributed PKG, we present protocols for these operations. We also compare our architecture to other verifiable secret sharing architectures for the Internet and demonstrate that ours has both better message efficiency as well as a more complete feature set. Finally, with a geographically distributed installation of our application, we verify its efficiency and practicality.