Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

Peter Lebbing peter at
Tue Oct 31 11:39:24 CET 2017

On 31/10/17 01:08, Lachlan Gunn wrote:
> I'm not sure that this is 100% correct.  The first part is true, but signatures
> of a key that has been revoked because it was superseded or lost are valid up to
> the revocation date, whereas ROCA-affected keys are compromised to some degree
> and so all signatures are suspect; the revocation status should, ideally,
> reflect this.

Oh, I was talking about a ROCA-affected *subkey* but a clean primary key, where
the subkey was already revoked by the primary key. I think you are talking about
a ROCA-affected primary key.

A ROCA-affected primary key should be revoked as *compromised*, replaced and not
used in any capacity.

And yes, the subkey should also be revoked with reason "compromised", for the
reason you state.

To clarify, do you agree if I reword the paragraph you contest as:

But, I agree that the reverse is not true: a compromised subkey does not
compromise the primary key in any way I can think of. And systems
checking for ROCA should not reject a certificate because there is
something wrong with an already revoked subkey.

The only change is in the last word :-).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list