diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md index ff6e123..7cdbc3a 100644 --- a/book/source/08-signing_components.md +++ b/book/source/08-signing_components.md @@ -6,33 +6,33 @@ SPDX-License-Identifier: CC-BY-SA-4.0 (component_signatures_chapter)= # Signatures on components -In this chapter, we'll look at OpenPGP signatures that apply to components of certificates. That is, signatures that apply to: +This chapter examines OpenPGP signatures associated with certificate components, applying to: -- Component keys (primary keys or subkeys) and -- Identity components (User IDs or User attributes). +- component keys, encompassing primary keys and subkeys +- identity components, namely user IDs and user attributes Signatures on components are used to construct and maintain certificates, and to model the authentication of identities. -This chapter expands on topics we introduced in the {ref}`certificates_chapter` chapter. +This chapter expands on topics introduced in the {ref}`certificates_chapter` chapter. ## Self-signatures vs third-party signatures -There are two fundamentally different flavors of signatures on components: +Component signatures in OpenPGP are categorized into two distinct types: -- *Self-signatures*, which are issued by the certificate holder themselves using the primary key of the certificate, and -- *third-party signatures*, which are issued by a third party. +- **self-signatures**, which are issued by the certificate holder using the certificate's primary key +- **third-party signatures**, which are issued by an external entity, not the certificate holder ### Self-signatures -*Self-signatures* on components are a crucial mechanism for forming OpenPGP certificates (by binding the certificate's components into one combined data structure), as well as for life-cycle management of certificates (that is: performing changes to the certificate, over time). +Self-signatures are fundamental in creating and managing OpenPGP certificates. They bind the various components of a certificate into one combined data structure and facilitate the certificate's life-cycle management. -Life-cycle management operations on OpenPGP certificates and their components include: +Life-cycle management operations include: -- binding additional components to a certificate, -- changing the expiration date, or other metadata, of a component, and -- invalidating components or existing self-signatures using revocations. +- binding additional components to a certificate +- modifying expiration dates or other metadata of components +- revoking, and thus invalidating, components or existing self-signatures -Self-signatures are issued by the certificate's owner, using the primary key of the same certificate. +Self-signatures are issued by the certificate's owner using the certificate's primary key. ```{note} No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) is required to issue self-signatures. An OpenPGP primary key can issue self-signatures by default. @@ -40,16 +40,16 @@ No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh- ### Third-party signatures -Third-party signatures on components form the basis for OpenPGP's decentralized authentication functionality (also known as the *Web of Trust*). They encode authentication-related statements about certificates and their associated identities. +Third-party signatures are pivotal in OpenPGP for decentralized authentication, forming the basis of the *Web of Trust*. They encode authentication-related statements about certificates and linked identities, establishing trustworthiness and verification. -Third-party OpenPGP signatures can be used to make the following types of statements: +Third-party signatures are used to make specific statements: -- Certification of identity claims, -- Delegation of authentication decisions, -- Invalidating previous third-party signature statements using revocations. +- certifying identity claims +- delegating authentication decisions +- revoking, and thus invalidating, prior third-party signature statements ```{note} -The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the primary key of a certificate may hold this key flag. +The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the certificate's primary holds this key flag. ``` ### Self-signatures and third-party signatures convey different meanings