2017-10-30 23:44 GMT+10:30 Peter Lebbing <pe...@digitalbrains.com>: > But, I agree that the reverse is not true: a compromised subkey does not > compromise the primary key in any way I can think of. And systems > checking for ROCA should not reject a certificate because there is > something wrong with an already revoked key. >
I'm not sure that this is 100% correct. The first part is true, but signatures of a key that has been revoked because it was superseded or lost are valid up to the revocation date, whereas ROCA-affected keys are compromised to some degree and so all signatures are suspect; the revocation status should, ideally, reflect this. Thanks, Lachlan
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
