diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md index 9d62ff1..a9ef9d1 100644 --- a/book/source/08-signing_components.md +++ b/book/source/08-signing_components.md @@ -233,7 +233,11 @@ This allows for a more extensive network of trusted certifications, enabling a b ```{admonition} VISUAL :class: warning -Heiko, I found the example confusing. So more text is here AND I recommend adding a visual to illustrate it, using your former example. +Illustrate with diagram(s). Notes for diagrams: + +When Alice delegates trust decisions to Trent, designating Trent as a trusted introducer with a *trust depth* of 1, then Alice's OpenPGP implementation will only accept direct certifications by Trent. For example, Trent may have certified that Bob's certificate with the fingerprint `0xB0B` is legitimately connected to Bob's User ID `Bob `. If Alice tries to communicate with Bob using his identity `Bob `, then Alice's OpenPGP software can automatically determine that the certificate `0xB0B` is appropriate to use. + +However, Alice's OpenPGP software wouldn't accept a series of delegations from Trent via Tristan to a certification of Carol's identity (let's imagine that Trent has designated Tristan a trusted introducer). For Alice's OpenPGP software to accept such a path, she needs to designate Trent as a trusted introducer with the `level` set to 2 or more. ``` #### Trust amounts @@ -245,7 +249,11 @@ A higher value indicates greater degree of reliance. This quantification aids Op ```{admonition} VISUAL :class: warning -add diagrams? @heiko -- yes, using the examples that I removed +Illustrate with diagram(s). Notes for diagrams: + +If Alice designates Trent as a trusted introducer at a trust amount of 120, then Alice's OpenPGP software will consider Bob's identity fully authenticated if Trent has certified it. + +However, if Alice only assigns a trust amount of 60 (which indicates "partial trust") to Trent, then her software would not consider Bob's identity fully authenticated. Now let's imagine that Alice additionally assigns a trust amount of 60 to Tristan (a second, independent introducer), and Tristan also certified Bob's identity. In this case, Alice's OpenPGP software will consider Bob's identity fully authenticated, based on the combination of both delegations, and the certifications the two trusted introducers issued. ``` #### Limiting delegation scope @@ -257,7 +265,9 @@ With this mechanism, for example, it is possible to delegate authentication deci ```{admonition} VISUAL :class: warning -add diagrams? +Illustrate with diagram(s). Notes for diagrams: + +For example, Alice could delegate trust decisions only for email addresses in the domain `bob.com` to Bob, if she considers Bob to be a reasonable source of identity certifications for that domain. ``` (wot)=