On 29/10/17 23:08, Damien Goutte-Gattat wrote: > This is also true the other way around: knowing the primary private key > does not allow to deduce the private subkey(s).
This is technically correct but in practice the point can be almost moot, depending on the threat model. When you know the primary key, you can issue a new signing subkey and get your signature accepted by others without needing to know the material of the real signing subkey. Likewise, you could create a new encryption subkey and get people to encrypt to that subkey instead of the real one, once again making knowledge of the encryption subkey unnecessary. This is much less inconspicuous; people, including the legitimate holder of the key, might notice. But by then it might be too late. But, I agree that the reverse is not true: a compromised subkey does not compromise the primary key in any way I can think of. And systems checking for ROCA should not reject a certificate because there is something wrong with an already revoked key. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupgemail@example.com http://lists.gnupg.org/mailman/listinfo/gnupg-users