I'm building out the collateralized ID prototype (
http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/) which needs to be able to sign messages using the bitcoin-jsonrpc function of the Bitcoin-Qt.
In order to sign a message you need to issue the "walletpassphrase" command, with the passphrase as the first arg and the time-out as the 2nd.
Now, I'm obviously concerned about putting the passphrase in a file where its path could be sniffed out in the django setting file, etc. and stolen. So is best practice to actually pop up a form and have the user input the passphrase? Then you'd still have to worry about key loggers but that's the limit.
Any advice gratefully accepted.