Start content of verification chapter

book/source/09-verification.md

@@ -5,6 +5,20 @@
 
 ## When are signatures valid?
 
+The validity of a signature is constrained by a number of conditions.
+First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
+Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
+In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
+
+For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
+
+The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
+Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
+
+```{include} mermaid/09-sigtree.md
+```
+
+
 - Validity as a tree of signatures
 
 ## Which signatures take precedence?

book/source/mermaid/09-sigtree.md

@@ -0,0 +1,23 @@
+```{mermaid}
+flowchart TD
+    subgraph Certificate
+    pk["Primary Key"]
+    uid["#quot;Alice #lt;alice@example.org#gt;#quot;"]
+    sk["Signing Subkey"]
+
+    usig(["PositiveCertification
+    PrimaryUserID: true"])
+    dksig(["DirectKeySignature"])
+    sksig(["SubkeyBindingSignature
+    KeyFlags: Sign Data
+    EmbeddedSignature: BackSignature"])
+    pk --- usig --> uid
+    dksig --> pk --- dksig
+    pk --- sksig --> sk
+    end
+
+    ds(["Data Signature"])
+    data("Data")
+
+    sk --- ds --> data
+```