[dllthomas]

The security implications vary, but generally private keys should be readable only by the processes that need them, to whatever degree is practical, and entropy that is used to generate a key should be considered roughly equivalent to the key itself.

This is not to say that leaving a private key world-readable is necessarily a horrible idea; it can certainly ease deployment, and there are always tradeoffs. But it does mean that this key is only as secure as your most vulnerable user account - including unprivileged user accounts running riskier services (unless they are genuinely sandboxed).

Making it readable only by a certain group is going to be better, security-wise, and shouldn't be too much more difficult, and so may generally be a better idea, but my key objection was that it sounded like a statement of policy: "we're only deriving keys from this, so we don't need to be careful with it" - which is bad policy without considering the protection the needed by the specific keys. The article does talk about this some later on but not (IMO) clearly or generally enough.