From 06da358f9917de536295886c5658842e6e6ac8bf Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Sun, 12 Nov 2023 20:46:38 +0100
Subject: [PATCH] ch8: write missing "signatures for primary key metadata"
 section

---
 book/source/08-signing_components.md | 29 +++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md
index 3580ba5..8063d33 100644
--- a/book/source/08-signing_components.md
+++ b/book/source/08-signing_components.md
@@ -139,14 +139,33 @@ Linking a User ID to an OpenPGP certificate
 This signature is calculated over the primary key and User ID.
 
 
+### Adding metadata to the primary key
+
+The signatures that bind subkeys and identity components to a certificate serve two different purposes: Linking components to the certificate and adding metadata to a component.
+
+The primary key in a certificate doesn't need to be linked to the certificate. It acts as the anchor for linking, itself and thus doesn't require being linked. However, there is nevertheless a need to associate metadata with the primary key.
+
+There are two mechanisms for adding metadata to the primary key:
+
+- Via a direct key signature on the primary key, or
+- via a "primary User ID" binding signature.
+
+Relevant metadata for the primary key that is defined the above mechanisms includes:
+
+- Key expiration,
+- key flags,
+- algorithm preference signaling.
+
 (direct_key_signature)=
-### Direct key signature: Adding metadata to the primary key
+#### Direct key signature
 
-```{admonition} TODO
-:class: warning
+A [*direct key signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) is one mechanism to store information about the primary key, and about the entire certificate.
 
-explain metadata associated with this signature, and that c-r prefers this over primary user id.
-```
+In OpenPGP v6, a direct key signature is the [preferred mechanism](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-9).
+
+#### Primary User ID binding self-signature
+
+In a certificate, one User ID serves as the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id). The metadata in the binding self-signature on this User ID applies to the primary key of the certificate.
 
 ### Revocations: Invalidating components of a certificate