From 1aa4696f3eb5b603c55bd0d01d2dfd9f7b08d643 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 16:26:31 +0200 Subject: [PATCH] ch4: add todo notes --- book/source/04-certificates.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index ea794d7..32e2e31 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -721,7 +721,22 @@ The subkey packet above by itself is disconnected from the OpenPGP certificate t The type of signature that is used for this is called a *subkey binding signature*, because it "binds" (as in "connects") the subkey to the rest of the key. -In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supercedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. +```{admonition} VISUAL +:class: warning + +Add detailed packet diagram analogous to 4.6.1 +``` + +```{admonition} TODO +:class: warning + +david points out: "The information on metadata in binding signatures may also make sense in other contexts (direct key signature)?" + +Should this text go elsewhere? +- 4.2.3? +- ch 6? +``` +In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supersedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. @@ -808,6 +823,12 @@ The signature is calculated over a hash. The hash, in this case, is calculated o ### Signing subkey +```{admonition} TODO +:class: warning + +write +``` + ```text $ sq packet dump --hex alice.priv-6--SecretSubkey Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes