diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 36ea229..c083959 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -124,6 +124,15 @@ It is considered good practice to have separate component keys for each type of [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. +#### Component key metadata, including key flags + +The key flags for a component key are actually not defined *inside* that component key itself. + +Instead, key flags, together with other metadata about that component key (such as the key expiration time), are stored using mechanisms that join components together as an OpenPGP certificate: + +- For the primary key, two different mechanisms can be used to define its key flags (as well as other metadata): That configuration can be associated with the [Primary User ID](primary_user_id), or via a [direct key signature](direct_key_signature). +- For subkeys, their key flags (and other metadata) are defined with the mechanism that connects the subkey with the certificate (via the primary key). More on that [below](binding_subkeys). + (identity_components)= ### Identity components @@ -141,6 +150,7 @@ Often, identities in a User ID consist of a string that is composed of a name an OpenPGP certificates can contain any number of User IDs ``` +(primary_user_id)= #### Primary User ID and its implications One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). @@ -227,6 +237,13 @@ Alice can link a User ID to her OpenPGP certificate with a cryptographic signatu Linking a User ID to an OpenPGP certificate ``` +(direct_key_signature)= +#### Direct key signature + +```{admonition} TODO +explain metadata associated with this signature, and that c-r prefers this over primary user id. +``` + (third_party_cert)= ## Third party (identity) certifications