On 31/10/17 11:39, Peter Lebbing wrote: > And yes, the subkey should also be revoked with reason "compromised", for the > reason you state.
And only now the penny drops. I suppose a system checking for ROCA might rightfully take offense at a subkey revoked as "superseded" or "lost"[1], because with ROCA it is actually "compromised". I never checked what GnuPG does with two revocations on a key, the earlier a "superseded" and the later a "compromised". The only correct thing would be to treat it as "compromised", especially because the attacker could generate a "superseded" with an earlier timestamp after the compromise and create the same situation. So it ought to work. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
