Impact of ROCA (CVE-2017-15361) in subkey vs. private key?
lachlan at twopif.net
Tue Oct 31 11:45:51 CET 2017
Le 2017-10-31 à 12:39, Peter Lebbing a écrit :
> To clarify, do you agree if I reword the paragraph you contest as:
> But, I agree that the reverse is not true: a compromised subkey does not
> compromise the primary key in any way I can think of. And systems
> checking for ROCA should not reject a certificate because there is
> something wrong with an already revoked subkey.
> The only change is in the last word :-).
No, I don't think so---even if the subkey is revoked, there is nothing
stopping me from factoring its public key and then signing all kinds of
documents with a backdated timestamp. I guess if I'm running the test
myself then I can go ahead and ignore signatures from that subkey, but
ideally the key would actually be marked as compromised.
More information about the Gnupg-users