mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-26 17:42:06 +01:00
edit ch8 binding identities
This commit is contained in:
parent
7d1d69d372
commit
28a69fe381
1 changed files with 4 additions and 8 deletions
|
@ -126,23 +126,19 @@ The back signature signifies the mutuality of the subkey's association with the
|
|||
(bind_ident)=
|
||||
### Binding identities to a certificate
|
||||
|
||||
Another use-case for a self-signature is to link an identity component (such as a User ID that specifies a name and email address) to a certificate.
|
||||
Self-signatures also play a vital role in binding identity components, such as User IDs or User Attributes, to an OpenPGP certificate.
|
||||
|
||||
User ID components are bound to an OpenPGP certificate by issuing a certifying self-signature. "User Attributes" work analogously.
|
||||
Take for instance, the User ID `Alice Adams <alice@example.org>`. To link this User ID to her OpenPGP certificate (e.g., `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`), Alice would use a cryptographic signature.
|
||||
|
||||
For example, the User ID `Alice Adams <alice@example.org>` may be associated with Alice's certificate `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`.
|
||||
There are four types of *certifying self-signature*. The most commonly used type for binding User IDs is the [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`). Alternatively, types `0x10`, `0x11` or `0x12` might be used. This binding signature must be issued by the primary key.
|
||||
|
||||
Alice can link a User ID to her OpenPGP certificate with a cryptographic signature. To link a User ID, a *certifying self-signature* is created. There are four variant certifying self-signature types. Usually the signature type [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`) is used to bind User IDs to one's certificate (sometimes, type ID `0x10`, `0x11` or `0x12` may be used instead). This binding signature must be issued by the primary key.
|
||||
|
||||
The resulting certifying self-signature packet is stored as part of the certificate, directly following the User ID packet.
|
||||
The certifying self-signature packet – calculated over the primary key, User ID, and metadata of the signature packet – is then appended to the certificate, directly following the User ID packet.
|
||||
|
||||
```{figure} diag/user_id_certification.png
|
||||
|
||||
Linking a User ID to an OpenPGP certificate
|
||||
```
|
||||
|
||||
This signature is calculated over the primary key, User ID and the metadata of the signature packet.
|
||||
|
||||
(primary-metadata)=
|
||||
### Adding metadata to the primary key/certificate
|
||||
|
||||
|
|
Loading…
Reference in a new issue