From 2dd5eb42d322646964c39c7bacb2b7e8241d1bf1 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 9 Oct 2023 14:39:38 +0200
Subject: [PATCH] Start content of verification chapter

---
 book/source/09-verification.md    | 14 ++++++++++++++
 book/source/mermaid/09-sigtree.md | 23 +++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 book/source/mermaid/09-sigtree.md

diff --git a/book/source/09-verification.md b/book/source/09-verification.md
index bee54ba..0da6a94 100644
--- a/book/source/09-verification.md
+++ b/book/source/09-verification.md
@@ -5,6 +5,20 @@
 
 ## When are signatures valid?
 
+The validity of a signature is constrained by a number of conditions.
+First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
+Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
+In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
+
+For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
+
+The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
+Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
+
+```{include} mermaid/09-sigtree.md
+```
+
+
 - Validity as a tree of signatures
 
 ## Which signatures take precedence?
diff --git a/book/source/mermaid/09-sigtree.md b/book/source/mermaid/09-sigtree.md
new file mode 100644
index 0000000..2ef16cd
--- /dev/null
+++ b/book/source/mermaid/09-sigtree.md
@@ -0,0 +1,23 @@
+```{mermaid}
+flowchart TD
+    subgraph Certificate
+    pk["Primary Key"]
+    uid["#quot;Alice #lt;alice@example.org#gt;#quot;"]
+    sk["Signing Subkey"]
+
+    usig(["PositiveCertification
+    PrimaryUserID: true"])
+    dksig(["DirectKeySignature"])
+    sksig(["SubkeyBindingSignature
+    KeyFlags: Sign Data
+    EmbeddedSignature: BackSignature"])
+    pk --- usig --> uid
+    dksig --> pk --- dksig
+    pk --- sksig --> sk
+    end
+
+    ds(["Data Signature"])
+    data("Data")
+
+    sk --- ds --> data
+```
\ No newline at end of file