Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

Lachlan Gunn lachlan at
Tue Oct 31 12:06:43 CET 2017

Le 2017-10-31 à 13:01, Peter Lebbing a écrit :
> Revocations are done by the primary key. If the user has lost the secret
> primary, they should fetch their revocation certificate, not fool around with
> the subkeys ;-). (Incidentally, this is why you don't need revocation
> certificates for individual subkeys.)

True, though this applies to the primary key too---I was thinking of all
signatures, really.  But if you consider that correct then it is only
accidentally so :)

> [1] Lachlan indicates "lost" is also treated as "signatures before revocation
> date remain valid", but I haven't checked myself.

I would recommend checking this yourself, as a quick google didn't find
it, and I haven't had a chance to do more thorough research.


More information about the Gnupg-users mailing list