Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

Lachlan Gunn lachlan at
Tue Oct 31 11:45:51 CET 2017

Le 2017-10-31 à 12:39, Peter Lebbing a écrit :
> To clarify, do you agree if I reword the paragraph you contest as:
> But, I agree that the reverse is not true: a compromised subkey does not
> compromise the primary key in any way I can think of. And systems
> checking for ROCA should not reject a certificate because there is
> something wrong with an already revoked subkey.
> The only change is in the last word :-).

No, I don't think so---even if the subkey is revoked, there is nothing
stopping me from factoring its public key and then signing all kinds of
documents with a backdated timestamp.  I guess if I'm running the test
myself then I can go ahead and ignore signatures from that subkey, but
ideally the key would actually be marked as compromised.


More information about the Gnupg-users mailing list