mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-22 23:52:05 +01:00
edit signatures on components intro, self-sig v 3rd party
This commit is contained in:
Tammi L. Coles
parent
1331e9bb5a
commit
2340333f40
1 changed files with 19 additions and 19 deletions
|
|
@ -6,33 +6,33 @@ SPDX-License-Identifier: CC-BY-SA-4.0
|
|||
(component_signatures_chapter)=
|
||||
# Signatures on components
|
||||
|
||||
In this chapter, we'll look at OpenPGP signatures that apply to components of certificates. That is, signatures that apply to:
|
||||
This chapter examines OpenPGP signatures associated with certificate components, applying to:
|
||||
|
||||
- Component keys (primary keys or subkeys) and
|
||||
- Identity components (User IDs or User attributes).
|
||||
- component keys, encompassing primary keys and subkeys
|
||||
- identity components, namely user IDs and user attributes
|
||||
|
||||
Signatures on components are used to construct and maintain certificates, and to model the authentication of identities.
|
||||
|
||||
This chapter expands on topics we introduced in the {ref}`certificates_chapter` chapter.
|
||||
This chapter expands on topics introduced in the {ref}`certificates_chapter` chapter.
|
||||
|
||||
## Self-signatures vs third-party signatures
|
||||
|
||||
There are two fundamentally different flavors of signatures on components:
|
||||
Component signatures in OpenPGP are categorized into two distinct types:
|
||||
|
||||
- *Self-signatures*, which are issued by the certificate holder themselves using the primary key of the certificate, and
|
||||
- *third-party signatures*, which are issued by a third party.
|
||||
- **self-signatures**, which are issued by the certificate holder using the certificate's primary key
|
||||
- **third-party signatures**, which are issued by an external entity, not the certificate holder
|
||||
|
||||
### Self-signatures
|
||||
|
||||
*Self-signatures* on components are a crucial mechanism for forming OpenPGP certificates (by binding the certificate's components into one combined data structure), as well as for life-cycle management of certificates (that is: performing changes to the certificate, over time).
|
||||
Self-signatures are fundamental in creating and managing OpenPGP certificates. They bind the various components of a certificate into one combined data structure and facilitate the certificate's life-cycle management.
|
||||
|
||||
Life-cycle management operations on OpenPGP certificates and their components include:
|
||||
Life-cycle management operations include:
|
||||
|
||||
- binding additional components to a certificate,
|
||||
- changing the expiration date, or other metadata, of a component, and
|
||||
- invalidating components or existing self-signatures using revocations.
|
||||
- binding additional components to a certificate
|
||||
- modifying expiration dates or other metadata of components
|
||||
- revoking, and thus invalidating, components or existing self-signatures
|
||||
|
||||
Self-signatures are issued by the certificate's owner, using the primary key of the same certificate.
|
||||
Self-signatures are issued by the certificate's owner using the certificate's primary key.
|
||||
|
||||
```{note}
|
||||
No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) is required to issue self-signatures. An OpenPGP primary key can issue self-signatures by default.
|
||||
|
|
@ -40,16 +40,16 @@ No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-
|
|||
|
||||
### Third-party signatures
|
||||
|
||||
Third-party signatures on components form the basis for OpenPGP's decentralized authentication functionality (also known as the *Web of Trust*). They encode authentication-related statements about certificates and their associated identities.
|
||||
Third-party signatures are pivotal in OpenPGP for decentralized authentication, forming the basis of the *Web of Trust*. They encode authentication-related statements about certificates and linked identities, establishing trustworthiness and verification.
|
||||
|
||||
Third-party OpenPGP signatures can be used to make the following types of statements:
|
||||
Third-party signatures are used to make specific statements:
|
||||
|
||||
- Certification of identity claims,
|
||||
- Delegation of authentication decisions,
|
||||
- Invalidating previous third-party signature statements using revocations.
|
||||
- certifying identity claims
|
||||
- delegating authentication decisions
|
||||
- revoking, and thus invalidating, prior third-party signature statements
|
||||
|
||||
```{note}
|
||||
The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the primary key of a certificate may hold this key flag.
|
||||
The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the certificate's primary holds this key flag.
|
||||
```
|
||||
|
||||
### Self-signatures and third-party signatures convey different meanings
|
||||
|
|
|
|||
Loading…
Reference in a new issue