diff --git a/book/source/01-intro.md b/book/source/01-intro.md index f5eba2b..a83cda4 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -19,7 +19,7 @@ With OpenPGP, you can: - [Encrypt](encryption_chapter) and [decrypt](decryption_chapter) messages - [Sign](signing_data) and [verify](verification_chapter) data -- [Issue certifications and examine statements](certifications_chapter) about keys and identities, similar to the role of a Certificate Authority in validating identities. +- [Issue certifications and examine statements](component_signatures_chapter) about keys and identities, similar to the role of a Certificate Authority in validating identities. To enable these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's standard, which also addresses identities and their verification. diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6018205..186a08e 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -55,7 +55,7 @@ Because the GnuPG program binary is called "gpg," "GnuPG" and "gpg" are often us In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. As of late 2023, version 4 is the most commonly used version. - +(major_implementations)= ### Major implementations of OpenPGP Today, multiple implementations of OpenPGP play important roles: diff --git a/book/source/03-cryptography.md b/book/source/03-cryptography.md index c8765ac..b85d982 100644 --- a/book/source/03-cryptography.md +++ b/book/source/03-cryptography.md @@ -131,7 +131,7 @@ In OpenPGP, digital signatures have diverse applications, extending beyond mere Digital signatures in OpenPGP are used in two primary contexts: -- [Certification statements](certifications_chapter) +- [Certification statements](component_signatures_chapter) - [Data signatures](signing_data) (hybrid_cryptosystems)= diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index b3149fe..bc1e48b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -183,7 +183,7 @@ The OpenPGP standard currently only defines one format to store in User Attribut To form an OpenPGP certificate out of a collection of components, the certificate holder links these components together (using their OpenPGP software). -The OpenPGP term for linking components is "binding," as in: "a subkey is bound to the primary key." The bindings are realized using cryptographic signatures (much more details about this are in {ref}`certifications_chapter`). +The OpenPGP term for linking components is "binding," as in: "a subkey is bound to the primary key." The bindings are realized using cryptographic signatures (much more details about this are in {ref}`component_signatures_chapter`). In very abstract terms, the primary key of a certificate acts as a root of trust for that certificate (as a kind of "certification authority"): diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md index ae75c3a..0a9e699 100644 --- a/book/source/08-signing_components.md +++ b/book/source/08-signing_components.md @@ -3,8 +3,7 @@ SPDX-FileCopyrightText: 2023 The "Notes on OpenPGP" project SPDX-License-Identifier: CC-BY-SA-4.0 --> -(certifications_chapter)= - +(component_signatures_chapter)= # Signatures on components In this chapter, we'll consider OpenPGP signatures that apply to components. That is, signatures that apply to: @@ -95,6 +94,7 @@ Note, though, that there are some cases where third parties legitimately add "un [^flooding]: Storing third-party identity certifications in the target OpenPGP certificate is convenient for consumers: it is easy to find all relevant certifications in one central location. However, when third parties can unilaterally add certifications, this opens an avenue for denial-of-service attacks by flooding. The SKS network of OpenPGP key servers [allowed and experienced this problem](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html). +(bind_subkey)= ### Binding subkeys to a certificate Linking a subkey to an OpenPGP certificate is done with a ["Subkey Binding Signature"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-subkey-binding). Such a signature signals that the "primary key wants to be associated with the subkey". @@ -178,7 +178,8 @@ Contrary, a hard revocation cannot be re-validated. Furthermore, a hard-revoked A missing revocation reason subpacket is equivalent with a hard revocation reason. -## Third-party signatures: Making statements about other people's certificates and identities +(third_party_cert)= +## Third-party certifications: Making statements about other people's certificates and identities ```{admonition} TODO :class: warning @@ -214,7 +215,7 @@ This signature should have the following structure: The recommended way to change the expiration time of a certificate is by issuing a new `DirectKey` signature (type 0x1F) with an adjusted Key Expiration Time subpacket. The structure of such a signature is the same as in the section above. -It is also possible to change the expiration date of individual User IDs (see section below) or separate subkeys (see [section X](#add_subkey)). +It is also possible to change the expiration date of individual User IDs (see section below) or separate subkeys (see {numref}`bind_subkey`). #### Add User ID diff --git a/book/source/10-encryption.md b/book/source/10-encryption.md index 7e3e4c3..2b48280 100644 --- a/book/source/10-encryption.md +++ b/book/source/10-encryption.md @@ -19,6 +19,7 @@ Core concept: ## Generations of encryption +(SEIPDv2)= ### SEIPD w/ AEAD (v2) ### SEIPD (v1)