Impact of ROCA (CVE-2017-15361) in subkey vs. private key?
Lachlan Gunn
lachlan at twopif.net
Tue Oct 31 01:08:04 CET 2017
2017-10-30 23:44 GMT+10:30 Peter Lebbing <peter at digitalbrains.com>:
> But, I agree that the reverse is not true: a compromised subkey does not
> compromise the primary key in any way I can think of. And systems
> checking for ROCA should not reject a certificate because there is
> something wrong with an already revoked key.
>
I'm not sure that this is 100% correct. The first part is true, but
signatures of a key that has been revoked because it was superseded or lost
are valid up to the revocation date, whereas ROCA-affected keys are
compromised to some degree and so all signatures are suspect; the
revocation status should, ideally, reflect this.
Thanks,
Lachlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171031/7e49bc58/attachment.html>
More information about the Gnupg-users
mailing list