This is definitely a bug that should be fixed ASAP, but it's a bit in the grey area on the vulnerability side. Yes, people may think their key is more protected than it actually is, but then we are not relying on that "feature" to actually protect the key, and the fix does not provide extra security beyond the obscurity of needing to steal two files (protected with the same rights) instead of one. The ca_password option sounds pretty useless to begin with, so we could probably get rid of it.
I'm wandering on the "no" side, but could easily be convinced otherwise.
Nice find!
This is definitely a bug that should be fixed ASAP, but it's a bit in the grey area on the vulnerability side. Yes, people may think their key is more protected than it actually is, but then we are not relying on that "feature" to actually protect the key, and the fix does not provide extra security beyond the obscurity of needing to steal two files (protected with the same rights) instead of one. The ca_password option sounds pretty useless to begin with, so we could probably get rid of it.
I'm wandering on the "no" side, but could easily be convinced otherwise.