ch4: Outline how key flags are set

(addresses one point of #63)
This commit is contained in:
Heiko Schaefer 2023-10-14 15:01:52 +02:00
parent 443023b8e9
commit 2df7aa779d
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D

View file

@ -124,6 +124,15 @@ It is considered good practice to have separate component keys for each type of
[^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption.
#### Component key metadata, including key flags
The key flags for a component key are actually not defined *inside* that component key itself.
Instead, key flags, together with other metadata about that component key (such as the key expiration time), are stored using mechanisms that join components together as an OpenPGP certificate:
- For the primary key, two different mechanisms can be used to define its key flags (as well as other metadata): That configuration can be associated with the [Primary User ID](primary_user_id), or via a [direct key signature](direct_key_signature).
- For subkeys, their key flags (and other metadata) are defined with the mechanism that connects the subkey with the certificate (via the primary key). More on that [below](binding_subkeys).
(identity_components)= (identity_components)=
### Identity components ### Identity components
@ -141,6 +150,7 @@ Often, identities in a User ID consist of a string that is composed of a name an
OpenPGP certificates can contain any number of User IDs OpenPGP certificates can contain any number of User IDs
``` ```
(primary_user_id)=
#### Primary User ID and its implications #### Primary User ID and its implications
One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id).
@ -227,6 +237,13 @@ Alice can link a User ID to her OpenPGP certificate with a cryptographic signatu
Linking a User ID to an OpenPGP certificate Linking a User ID to an OpenPGP certificate
``` ```
(direct_key_signature)=
#### Direct key signature
```{admonition} TODO
explain metadata associated with this signature, and that c-r prefers this over primary user id.
```
(third_party_cert)= (third_party_cert)=
## Third party (identity) certifications ## Third party (identity) certifications