Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

[Andrew Gallagher]

> On 29 Oct 2017, at 19:18, Shannon C <rehevkor5 at gmail.com> wrote:
> 
> I can't find anyone talking about this particular issue. Assuming that the secret key was generated outside of an Infineon chip, but that subsequently subkeys were generated by a chip with the ROCA vulnerability, does that compromise the main private key, or only the subkey?

There should be no way for a compromised subkey to affect the security of its primary key. Creating a subkey does not alter the primary key in any way; all that happens is that an SBIND signature is created by the primary key for the subkey. This does not compromise the primary key material if done in a conformant way (if it did, your implementation would have *much* more serious problems).

Further, if the subkey is revoked, the overall effect should be as if the subkey did not exist. An application that complains about revoked subkeys is probably being overly paranoid. There may be a flimsy argument that doing so might protect those people whose clients do not handle revocations properly. But if a client were to ignore subkey revocations then again, it has bigger problems. 

A