diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md index a4af29e..c01fa35 100644 --- a/book/source/08-signing_components.md +++ b/book/source/08-signing_components.md @@ -126,23 +126,19 @@ The back signature signifies the mutuality of the subkey's association with the (bind_ident)= ### Binding identities to a certificate -Another use-case for a self-signature is to link an identity component (such as a User ID that specifies a name and email address) to a certificate. +Self-signatures also play a vital role in binding identity components, such as User IDs or User Attributes, to an OpenPGP certificate. -User ID components are bound to an OpenPGP certificate by issuing a certifying self-signature. "User Attributes" work analogously. +Take for instance, the User ID `Alice Adams `. To link this User ID to her OpenPGP certificate (e.g., `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`), Alice would use a cryptographic signature. -For example, the User ID `Alice Adams ` may be associated with Alice's certificate `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`. +There are four types of *certifying self-signature*. The most commonly used type for binding User IDs is the [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`). Alternatively, types `0x10`, `0x11` or `0x12` might be used. This binding signature must be issued by the primary key. -Alice can link a User ID to her OpenPGP certificate with a cryptographic signature. To link a User ID, a *certifying self-signature* is created. There are four variant certifying self-signature types. Usually the signature type [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`) is used to bind User IDs to one's certificate (sometimes, type ID `0x10`, `0x11` or `0x12` may be used instead). This binding signature must be issued by the primary key. - -The resulting certifying self-signature packet is stored as part of the certificate, directly following the User ID packet. +The certifying self-signature packet – calculated over the primary key, User ID, and metadata of the signature packet – is then appended to the certificate, directly following the User ID packet. ```{figure} diag/user_id_certification.png Linking a User ID to an OpenPGP certificate ``` -This signature is calculated over the primary key, User ID and the metadata of the signature packet. - (primary-metadata)= ### Adding metadata to the primary key/certificate