vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-22 23:52:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

ch8: write missing "signatures for primary key metadata" section

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-12 20:46:38 +01:00
parent 6bbef95d21
commit 06da358f99
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 24 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
book/source/08-signing_components.md
View file

@ -139,14 +139,33 @@ Linking a User ID to an OpenPGP certificate
This signature is calculated over the primary key and User ID.
### Adding metadata to the primary key
The signatures that bind subkeys and identity components to a certificate serve two different purposes: Linking components to the certificate and adding metadata to a component.
The primary key in a certificate doesn't need to be linked to the certificate. It acts as the anchor for linking, itself and thus doesn't require being linked. However, there is nevertheless a need to associate metadata with the primary key.
There are two mechanisms for adding metadata to the primary key:
- Via a direct key signature on the primary key, or
- via a "primary User ID" binding signature.
Relevant metadata for the primary key that is defined the above mechanisms includes:
- Key expiration,
- key flags,
- algorithm preference signaling.
(direct_key_signature)=
### Direct key signature: Adding metadata to the primary key
#### Direct key signature
```{admonition} TODO
:class: warning
A [*direct key signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) is one mechanism to store information about the primary key, and about the entire certificate.
explain metadata associated with this signature, and that c-r prefers this over primary user id.
```
In OpenPGP v6, a direct key signature is the [preferred mechanism](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-9).
#### Primary User ID binding self-signature
In a certificate, one User ID serves as the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id). The metadata in the binding self-signature on this User ID applies to the primary key of the certificate.
### Revocations: Invalidating components of a certificate