Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

Peter Lebbing peter at
Mon Oct 30 14:14:30 CET 2017

On 29/10/17 23:08, Damien Goutte-Gattat wrote:
> This is also true the other way around: knowing the primary private key
> does not allow to deduce the private subkey(s).

This is technically correct but in practice the point can be almost
moot, depending on the threat model.

When you know the primary key, you can issue a new signing subkey and
get your signature accepted by others without needing to know the
material of the real signing subkey.

Likewise, you could create a new encryption subkey and get people to
encrypt to that subkey instead of the real one, once again making
knowledge of the encryption subkey unnecessary.

This is much less inconspicuous; people, including the legitimate holder
of the key, might notice. But by then it might be too late.

But, I agree that the reverse is not true: a compromised subkey does not
compromise the primary key in any way I can think of. And systems
checking for ROCA should not reject a certificate because there is
something wrong with an already revoked key.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list