mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-29 11:02:06 +01:00
Start content of verification chapter
This commit is contained in:
parent
a7a7342501
commit
2dd5eb42d3
2 changed files with 37 additions and 0 deletions
|
@ -5,6 +5,20 @@
|
|||
|
||||
## When are signatures valid?
|
||||
|
||||
The validity of a signature is constrained by a number of conditions.
|
||||
First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
|
||||
Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
|
||||
In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
|
||||
|
||||
For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
|
||||
|
||||
The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
|
||||
Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
|
||||
|
||||
```{include} mermaid/09-sigtree.md
|
||||
```
|
||||
|
||||
|
||||
- Validity as a tree of signatures
|
||||
|
||||
## Which signatures take precedence?
|
||||
|
|
23
book/source/mermaid/09-sigtree.md
Normal file
23
book/source/mermaid/09-sigtree.md
Normal file
|
@ -0,0 +1,23 @@
|
|||
```{mermaid}
|
||||
flowchart TD
|
||||
subgraph Certificate
|
||||
pk["Primary Key"]
|
||||
uid["#quot;Alice #lt;alice@example.org#gt;#quot;"]
|
||||
sk["Signing Subkey"]
|
||||
|
||||
usig(["PositiveCertification
|
||||
PrimaryUserID: true"])
|
||||
dksig(["DirectKeySignature"])
|
||||
sksig(["SubkeyBindingSignature
|
||||
KeyFlags: Sign Data
|
||||
EmbeddedSignature: BackSignature"])
|
||||
pk --- usig --> uid
|
||||
dksig --> pk --- dksig
|
||||
pk --- sksig --> sk
|
||||
end
|
||||
|
||||
ds(["Data Signature"])
|
||||
data("Data")
|
||||
|
||||
sk --- ds --> data
|
||||
```
|
Loading…
Reference in a new issue