From 2df7aa779d717e77926022262d0ebc104101f573 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Sat, 14 Oct 2023 15:01:52 +0200
Subject: [PATCH] ch4: Outline how key flags are set

(addresses one point of #63)
---
 book/source/04-certificates.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index 36ea229..c083959 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -124,6 +124,15 @@ It is considered good practice to have separate component keys for each type of
 
 [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption.
 
+#### Component key metadata, including key flags
+
+The key flags for a component key are actually not defined *inside* that component key itself.
+
+Instead, key flags, together with other metadata about that component key (such as the key expiration time), are stored using mechanisms that join components together as an OpenPGP certificate:
+
+- For the primary key, two different mechanisms can be used to define its key flags (as well as other metadata): That configuration can be associated with the [Primary User ID](primary_user_id), or via a [direct key signature](direct_key_signature).
+- For subkeys, their key flags (and other metadata) are defined with the mechanism that connects the subkey with the certificate (via the primary key). More on that [below](binding_subkeys).
+
 
 (identity_components)=
 ### Identity components
@@ -141,6 +150,7 @@ Often, identities in a User ID consist of a string that is composed of a name an
 OpenPGP certificates can contain any number of User IDs
 ```
 
+(primary_user_id)=
 #### Primary User ID and its implications
 
 One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id).
@@ -227,6 +237,13 @@ Alice can link a User ID to her OpenPGP certificate with a cryptographic signatu
 Linking a User ID to an OpenPGP certificate
 ```
 
+(direct_key_signature)=
+#### Direct key signature
+
+```{admonition} TODO
+explain metadata associated with this signature, and that c-r prefers this over primary user id.
+```
+
 (third_party_cert)=
 ## Third party (identity) certifications