On 31/10/17 11:56, Lachlan Gunn wrote: > The only difficulty is when the owner doesn't have the secret key > anymore, and so can't re-revoke it. Then you might want to keep it from > being disseminated further.
Revocations are done by the primary key. If the user has lost the secret primary, they should fetch their revocation certificate, not fool around with the subkeys ;-). (Incidentally, this is why you don't need revocation certificates for individual subkeys.) I'm glad we agree, because I didn't sleep so well and I see I'm making mistakes :-D. The  in: I suppose a system checking for ROCA might rightfully take offense at a subkey revoked as "superseded" or "lost", because with ROCA it is actually "compromised". should have been a footnote:  Lachlan indicates "lost" is also treated as "signatures before revocation date remain valid", but I haven't checked myself. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupgemail@example.com http://lists.gnupg.org/mailman/listinfo/gnupg-users