What is the harm if I publish an encrypted RSA private key publicly?

Question

What is the harm if I publish an encrypted RSA private key publicly? Or in this case, what is the harm if I publish many thousands or millions of them?

Assuming that the private key is encrypted with a typical user password, the passphrase is some combination of password + user ID (which is not necessarily user-selected), some method of key stretching is used, and that it's not obvious what the key is used for, is there any harm?

The reason I ask is because I am wanting to investigate a way to store public and private keys on behalf of web users for use within a web browser. The private key would be stored at an HTTPS URL that does not describe the user that owns it nor describes what the key would access. The data stored at the private key URL would be read-only.

The intention is to assume that any private keystore would be eventually attractive enough to be attacked and breached and therefore assuming that keeping the private key files hidden or protected would be poor or insufficient security.

The fact that this private keystore exists would not be treated as private information. All keys would be accessible by anyone that knows the URL for each. There would be no key/directory index provided. The key files may be stored on simple file storage/hosting systems like Amazon S3, but they would always be served over HTTPS.

Please ignore the issue of possible theft of password via keylogging and ignore the issue of possible theft of unencrypted key via direct JavaScript access.

Answer 1

Systems like ssh, for example, often encrypt a user's private key using a password, so that is not new. The fact that they are published on a web server that technically anyone could access is a little different. But, if the password is strong, brute force and dictionary attacks would be impossible. So the system seems secure.

That if, though, is a big if. As CodesInChaos points out, users are bad at picking good passwords. So, lets assume they are still bad at picking passwords. Eventually the URLs will become known, so we can't rely on that for security. An attacker can then download the encrypted private keys and decrypt them since a bad password was chosen.

How does this differ from traditional passwords? Well, in traditional passwords, at least the database and server can be hardened to keep people from getting material that can be used in an offline dictionary attack. Under this system, the URL scheme would be the only thing preventing an offline dictionary attack.