Umm... Why use brute force when you have VBScript?
Perhaps my wording was a bit off -- I'm not proposing the easy theft of a user's private key via an email worm, but rather that unauthorized _use_ of that key.
Suppose we have an email client (let's call it "Lookout", or "Post-it Notes" for want of a better name). It has been designed to sign all outgoing email with the user's private key. So, it _needs_ to have access to that key. The user may have to enter a passphrase when the program starts, but I wouldn't expect it to be required every time the key is used. (How often do Outlook, Netscape Messenger or Lotus Notes actually ask for a password? Only once. Sometimes not even that. Why is that? Because users are lazy, and they demand features like that.)
Once the email client has the power to sign and send mail (or sign keys, or pick lottery numbers, or use any other Innovative Feature[tm]) with the user's key, we don't _need_ to brute force anything. Especially if it has a built in scripting language which provides functions like VBDisableAllSecuritySettings, VBSignAndSendMessage or VBRunNoSmokeDotBat.
So yes, using PGP means that I can have some certainly that a message signed with your key came from your computer but in a world with "Melissa's Pen Pal Loves Good Times", I can't trust that any key signed by you actually belongs to someone you know or that an email from your computer was actually sent by you, so that whole "web of trust" starts to fray around the edges, leaving things not much better than they are now.
[ Parent ]