> On 29 Oct 2017, at 19:18, Shannon C <rehevk...@gmail.com> wrote:
> I can't find anyone talking about this particular issue. Assuming that the
> secret key was generated outside of an Infineon chip, but that subsequently
> subkeys were generated by a chip with the ROCA vulnerability, does that
> compromise the main private key, or only the subkey?
There should be no way for a compromised subkey to affect the security of its
primary key. Creating a subkey does not alter the primary key in any way; all
that happens is that an SBIND signature is created by the primary key for the
subkey. This does not compromise the primary key material if done in a
conformant way (if it did, your implementation would have *much* more serious
Further, if the subkey is revoked, the overall effect should be as if the
subkey did not exist. An application that complains about revoked subkeys is
probably being overly paranoid. There may be a flimsy argument that doing so
might protect those people whose clients do not handle revocations properly.
But if a client were to ignore subkey revocations then again, it has bigger
Gnupg-users mailing list