vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-23 16:12:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

continue edits to ch4

Browse source
This commit is contained in:
Tammi L. Coles 2023-10-21 12:58:44 +02:00
parent 525734b9a9
commit 25af6a907a
1 changed files with 44 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

119
book/source/04-certificates.md
View file

@ -32,11 +32,7 @@ An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number
- Identity components - Identity components
- Additional metadata, including connections between the certificate's components - Additional metadata, including connections between the certificate's components
We sometimes collectively refer to component keys and identity information as "the components of a certificate." This documentation collectively refers to component keys and identity information as "the components of a certificate."
```{admonition} Warning
Please clarify who "we" is in this statement.
```
```{figure} diag/OpenPGP_Certificate.png ```{figure} diag/OpenPGP_Certificate.png
@ -51,15 +47,9 @@ OpenPGP certificates tend to have a long lifespan, with the potential for modifi
## Component keys ## Component keys
<<<<<<< HEAD
An OpenPGP certificate usually contains multiple OpenPGP component keys.
OpenPGP component keys consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. These attributes of a component key cannot be changed after creation (in the case of ECDH keys, two additional parameters are part of a component key's constituting data[^ecdh-paramters]).
=======
An OpenPGP certificate usually contains multiple component keys. Component keys serve in one of two roles: either as an "OpenPGP primary key" or as an "OpenPGP subkey." An OpenPGP certificate usually contains multiple component keys. Component keys serve in one of two roles: either as an "OpenPGP primary key" or as an "OpenPGP subkey."
OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. Once created, these attributes of a component key remain fixed (for ECDH keys, two additional parameters are part of a component key's constitutive data[^ecdh-parameters]). OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. Once created, these attributes of a component key remain fixed (for ECDH keys, two additional parameters are part of a component key's constitutive data[^ecdh-parameters]).
>>>>>>> refs/remotes/origin/tammi-ch4
[^ecdh-parameters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are integral to the component key's constitutive and immutable properties. Those parameters specify a hash function and a symmetric encryption algorithm. [^ecdh-parameters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are integral to the component key's constitutive and immutable properties. Those parameters specify a hash function and a symmetric encryption algorithm.
@ -68,39 +58,25 @@ OpenPGP component keys logically consist of an [asymmetric cryptographic keypair
An OpenPGP component key An OpenPGP component key
``` ```
<<<<<<< HEAD In OpenPGP, component keys containing private key material include metadata that specifies the password protection scheme. However, this chapter focuses on OpenPGP certificates. The component keys of these certificates contain only the public part of its cryptographic key data. For information on private keys in OpenPGP, see {numref}`private_key_chapter`.
Component key representations that include private key material also contain metadata that specifies the password protection scheme for the private key material.
=======
Component keys containing private key material also contain metadata that specifies the password protection scheme for the private key material. However, in this chapter, we're looking at *OpenPGP certificates*, which *don't* contain private key information. Each component key of such a certificate contains only the public part of its cryptographic key data. To read more about private keys in OpenPGP, see {numref}`private_key_chapter`.
### Fingerprint ### Fingerprint
>>>>>>> refs/remotes/origin/tammi-ch4 Each OpenPGP component key allows for the generation of an *OpenPGP fingerprint* . This fingerprint is produced based on the public key material, the creation timestamp, and, when relevant, the ECDH parameters.
For each OpenPGP component key, an *OpenPGP fingerprint* can be generated. This fingerprint is derived from the combination of the public key material and creation timestamp (and ECDH parameters, if applicable).
```{figure} diag/Fingerprint.png ```{figure} diag/Fingerprint.png
Every OpenPGP component key is identifiable by a unique fingerprint. Every OpenPGP component key is identifiable by a unique fingerprint.
``` ```
<<<<<<< HEAD
The fingerprint of our example component OpenPGP key is `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` [^keyid].
=======
The fingerprint of our example OpenPGP component key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid]. The fingerprint of our example OpenPGP component key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid].
>>>>>>> refs/remotes/origin/tammi-ch4
[^keyid]: In OpenPGP version 4, the rightmost 64 bits were sometimes used as a shorter identifier, called "Key ID." [^keyid]: In OpenPGP version 4, the rightmost 64 bits were sometimes used as a shorter identifier, called "Key ID."
For example, an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referenced by the 64-bit Key ID `C8B8 6AC4 2455 4239` or formatted as `0xC8B86AC424554239`. For example, an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referenced by the 64-bit Key ID `C8B8 6AC4 2455 4239` or formatted as `0xC8B86AC424554239`.
Historically, even shorter 32-bit identifiers were used, like this: `2455 4239`, or `0x24554239`. Such identifiers still appear in very old documents about PGP. However, [32-bit identifiers have been long deemed unfit for purpose](https://evil32.com/). At one point, 32-bit identifiers were called "short Key ID," while 64-bit identifiers were referred to as "long Key ID." Historically, even shorter 32-bit identifiers were used, like this: `2455 4239`, or `0x24554239`. Such identifiers still appear in very old documents about PGP. However, [32-bit identifiers have been long deemed unfit for purpose](https://evil32.com/). At one point, 32-bit identifiers were called "short Key ID," while 64-bit identifiers were referred to as "long Key ID."
Component keys are used in one of two roles: either as "OpenPGP primary key," or as an "OpenPGP subkey". Component keys are used in one of two roles: either as "OpenPGP primary key" or as an "OpenPGP subkey."
<<<<<<< HEAD
#### Primary key
=======
>>>>>>> refs/remotes/origin/tammi-ch4
The OpenPGP primary key is a distinct component key that serves a central role in an OpenPGP certificate: The OpenPGP primary key is a distinct component key that serves a central role in an OpenPGP certificate:
- Its fingerprint acts as the unique identifier for the entire OpenPGP certificate. - Its fingerprint acts as the unique identifier for the entire OpenPGP certificate.
@ -114,57 +90,43 @@ In the RFC, the OpenPGP primary key is occasionally referred to as "top-level ke
### Subkeys ### Subkeys
In addition to the primary key, modern OpenPGP certificates usually contain several subkeys, although they are not technically required. Modern OpenPGP certificates often include several subkeys in addition to the primary key, although these subkeys are optional.
<<<<<<< HEAD While subkeys have the same structural attributes as the primary key, they fulfill different roles. Subkeys are cryptographically linked with the primary key, a relationship further discussed in {numref}`binding_subkeys`.
Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this below).
=======
Subkeys have the same structural attributes as the primary key but fulfill a different role. Subkeys are cryptographically linked with the primary key (more on this in {numref}`binding_subkeys`).
>>>>>>> refs/remotes/origin/tammi-ch4
```{figure} diag/Subkeys.png ```{figure} diag/Subkeys.png
:name: Certificate with subkeys :name: Certificate with subkeys
:alt: Three component keys depicted. The primary key is positioned at the top, designated for certification. Below it, linked by arrows, are two more component keys, used as subkeys. They are labeled as "for encryption" and "for signing," respectively. :alt: Diagram depicting three component keys. The primary key is positioned at the top, designated for certification. Below it, connected by arrows, are two subkeys labeled as "for encryption" and "for signing," respectively.
OpenPGP certificates can contain multiple subkeys. OpenPGP certificates can contain multiple subkeys.
``` ```
#### Defining operational capabilities with Key Flags #### Defining operational capabilities with key flags
```{admonition} Warning Each component key has a set of ["key flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that delineate the operations a key can perform.
Let's decide whether the capitalization of F is necessary.
```
Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that delineate the operations a key can perform. Commonly used key flags include:
Commonly used key flags are: - **Certification**: enables issuing third-party certifications
- **Signing**: allows the key to sign data
- **C**ertification (issuing third-party certifications) - **Encryption**: allows the key to encrypt data
- **S**igning (signing data) - **Authentication**: primarily used for OpenPGP authentication
- **E**ncryption (encrypting data)
- **A**uthentication (commonly used for OpenPGP authentication)
```{admonition} Warning
Accessibility. Is the bolding of C, S, E, A compatible with screenreaders? Is it worth the effort?
```
By convention, only the primary key is allowed to perform "certification" operations. All other operations can be configured on either the primary key or a subkey.
```{note} ```{note}
It is considered good practice to have separate component keys for each type of operation: to allow only *Certification* operations with the primary key, and to use separate *Signing*, *Encryption* and *Authentication* subkeys (independently: with most algorithms, encryption can't be shared with the other capabilities[^key-flag-sharing]). In line with best practices, distinct component keys should handle specific operations. The primary key should be reserved solely for certification, while separate subkeys should be used for signing, encryption, and authentication. Notably, in many algorithms, encryption capability is exclusive and cannot overlap with other operations[^key-flag-sharing]).
``` ```
[^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. [^key-flag-sharing]: With ECC algorithms, it's impossible to combine encryption functions with those intended for signing. For example, ed25519 is specifically used for signing; cv25519 is designated for encryption.
### Component key metadata, including key flags ### Component key metadata, including key flags
The key flags for a component key are actually not defined *inside* that component key itself. The key flags for a component key are not stored within the component key directly.
Instead, key flags, together with other metadata about that component key (such as the key expiration time), are stored using mechanisms that join components together as an OpenPGP certificate: Instead, key flags, along with other metadata about that component key, such as the key expiration time, are stored using mechanisms that group components into an OpenPGP certificate:
- For the primary key, two different mechanisms can be used to define its key flags (as well as other metadata): That configuration can be associated with the [Primary User ID](primary_user_id), or via a [direct key signature](direct_key_signature). - For the primary key, its key flags and other metadata can be defined in two ways: they can be linked with the [Primary User ID](primary_user_id) or through a [direct key signature](direct_key_signature).
- For subkeys, their key flags (and other metadata) are defined with the mechanism that connects the subkey with the certificate (via the primary key). More on that [below](binding_subkeys). - For subkeys, the key flags and other metadata are set using the mechanism that ties the subkey to the certificate, specifically through the primary key. Further details on [binding subkeys](binding_subkeys) are below.
(identity_components)= (identity_components)=
@ -172,27 +134,35 @@ Instead, key flags, together with other metadata about that component key (such
Identity components in an OpenPGP certificate are used by the certificate holder to state that they are known by a certain identifier (like a name, or an email address). Identity components in an OpenPGP certificate are used by the certificate holder to state that they are known by a certain identifier (like a name, or an email address).
### User IDs ### User IDs in OpenPGP certificates
An OpenPGP certificate can contain any number of [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity. OpenPGP certificates can contain multiple [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity.
```{figure} diag/user_ids.png ```{figure} diag/user_ids.png
OpenPGP certificates can contain any number of User IDs OpenPGP certificates can contain any number of User IDs
``` ```
Often, identities in a User ID consist of a UTF-8 encoded string that is composed of a name and an email address. By convention, User IDs typically consist of an [RFC2822](https://www.rfc-editor.org/rfc/rfc2822) *name-addr*. ```{admonition} Warning
This image could be visually improved! The new image should have an alt tag
```
Also see [draft-dkg-openpgp-userid-conventions-00](https://datatracker.ietf.org/doc/draft-dkg-openpgp-userid-conventions/), 25 August 2023. A typical User ID identity is a UTF-8-encoded string composed of a name and an email address. By convention, User IDs align with the format described in [RFC2822](https://www.rfc-editor.org/rfc/rfc2822) as a *name-addr*.
For further conventions on User IDs, refer to the document [draft-dkg-openpgp-userid-conventions-00](https://datatracker.ietf.org/doc/draft-dkg-openpgp-userid-conventions/), dated 25 August 2023.
One proposed variant for encoding identities in User ID is to use ["split User IDs"](https://dkg.fifthhorseman.net/blog/2021-dkg-openpgp-transition.html#split-user-ids). One proposed variant for encoding identities in User ID is to use ["split User IDs"](https://dkg.fifthhorseman.net/blog/2021-dkg-openpgp-transition.html#split-user-ids).
```{admonition} Warning
Heiko, please clarify what the value is of this proposal or remove it.
```
(primary_user_id)= (primary_user_id)=
### Primary User ID and its implications ### Implimations of the Primary User ID
One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). Within a certificate, a specific User ID is desginated as the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id).
User IDs are associated with preference settings (such as preferred encryption algorithms, more on this in {numref}`zooming_in_user_id`). The preferences associated with the Primary User ID are used by default. Each User ID carries associated preference settings, such as preferred encryption algorithms, which is detailed in {numref}`zooming_in_user_id`). The preferences associated with the Primary User ID take precedence by default.
```{admonition} TODO ```{admonition} TODO
:class: warning :class: warning
@ -201,23 +171,22 @@ i think crypto-refresh suggests that the direct key signature should hold the de
we might need to write a more nuanced text here, about how DKS and primary user id interact in v6, and mention the differences to v4? we might need to write a more nuanced text here, about how DKS and primary user id interact in v6, and mention the differences to v4?
``` ```
### User attributes ### User attributes in OpenPGP
While
[user attributes](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-attribute-packet-tag-1) are similar to User IDs, they are less commonly used.
[User attributes](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-attribute-packet-tag-1) are similar to User IDs, but less commonly used. Currently, the OpenPGP standard prescribes only one format for storing user attributes: an [image](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-the-image-attribute-subpack). Typically, this image represents the key owner, but it is not required.
The OpenPGP standard currently only defines one format to store in User Attributes: an [image](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-the-image-attribute-subpack), "presumably (but not required to be) that of the key owner".
## Linking the components ## Linking the components
To form an OpenPGP certificate out of a collection of components, the certificate holder links these components together (using their OpenPGP software). To form an OpenPGP certificate, individual components are interconnected by the certificate holder using their OpenPGP software. Within OpenPGP, this process is termed "binding," as in "a subkey is bound to the primary key." These bindings are realized using cryptographic signatures. An in-depth discussion of this topic can be found in {ref}`certifications_chapter`).
The OpenPGP term for linking components is "binding," as in: "a subkey is bound to the primary key." The bindings are realized using cryptographic signatures (much more details about this are in {ref}`certifications_chapter`). In very abstract terms, the primary key of a certificate acts as a root of trust or "certification authority." It is responsible for:
In very abstract terms, the primary key of a certificate acts as a root of trust for that certificate (as a kind of "certification authority"): - issuing signatures that express the certificate holder's intent to use specific subkeys or identity components.
- conducting other lifecycle operations, including setting expiration dates and marking components as invalidated or "revoked."
The primary key issues signatures that express the certificate holder's intent to use subkeys or identity components. It also performs other lifecycle operations, such as setting expiration times, or marking components as invalidated ("revoked"). By binding components using digital signatures, recipients of an OpenPGP certificate need only validate the authenticity of the primary key to use for their communication partner. Traditionally, this is done by manually verifying the *fingerprint* of the primary key. Once the validity of the primary key is confirmed, the validity of the remaining components can be automatically assessed by the user's OpenPGP software. Generally, components are valid parts of a certificate if there is a statement signed by the certificate's primary key endorsing this validity.
Binding components together with digital signatures means that recipients of an OpenPGP certificate only need to verify that the primary key is the correct one to use for their communication partner (traditionally, this has often been done by manually verifying the *fingerprint* of the primary key). Once the validity of the primary key is established, the validity of all other components can be automatically determined by the user's OpenPGP software. To a first estimation, components are valid parts of a certificate if there is a statement signed with the certificate's primary key that expresses this validity.
## Revocations ## Revocations