mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-26 17:42:06 +01:00
ch8: write missing "signatures for primary key metadata" section
This commit is contained in:
parent
6bbef95d21
commit
06da358f99
1 changed files with 24 additions and 5 deletions
|
@ -139,14 +139,33 @@ Linking a User ID to an OpenPGP certificate
|
|||
This signature is calculated over the primary key and User ID.
|
||||
|
||||
|
||||
### Adding metadata to the primary key
|
||||
|
||||
The signatures that bind subkeys and identity components to a certificate serve two different purposes: Linking components to the certificate and adding metadata to a component.
|
||||
|
||||
The primary key in a certificate doesn't need to be linked to the certificate. It acts as the anchor for linking, itself and thus doesn't require being linked. However, there is nevertheless a need to associate metadata with the primary key.
|
||||
|
||||
There are two mechanisms for adding metadata to the primary key:
|
||||
|
||||
- Via a direct key signature on the primary key, or
|
||||
- via a "primary User ID" binding signature.
|
||||
|
||||
Relevant metadata for the primary key that is defined the above mechanisms includes:
|
||||
|
||||
- Key expiration,
|
||||
- key flags,
|
||||
- algorithm preference signaling.
|
||||
|
||||
(direct_key_signature)=
|
||||
### Direct key signature: Adding metadata to the primary key
|
||||
#### Direct key signature
|
||||
|
||||
```{admonition} TODO
|
||||
:class: warning
|
||||
A [*direct key signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) is one mechanism to store information about the primary key, and about the entire certificate.
|
||||
|
||||
explain metadata associated with this signature, and that c-r prefers this over primary user id.
|
||||
```
|
||||
In OpenPGP v6, a direct key signature is the [preferred mechanism](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-9).
|
||||
|
||||
#### Primary User ID binding self-signature
|
||||
|
||||
In a certificate, one User ID serves as the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id). The metadata in the binding self-signature on this User ID applies to the primary key of the certificate.
|
||||
|
||||
### Revocations: Invalidating components of a certificate
|
||||
|
||||
|
|
Loading…
Reference in a new issue