ch4: restructure packet splitting text sections

book/source/04-certificates.md

@@ -321,13 +321,16 @@ Note that the secret key material we're using in this chapter is not password pr
 
 In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data.
 
-One way to produce this minimal version of Alice's key is:
+(split_alice)=
+#### Splitting an OpenPGP key into packets
+
+One way to produce a very minimal version of Alice's key is to split her full key into its component packets, and join only the relevant ones back together into a variant of the key.
 
 ```text
 $ sq packet split alice.priv
 ```
 
-With this command, `sq` generates a set of files, one for each packet in `alice.priv`:
+With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full key in `alice.priv`:
 
 ```text
 alice.priv-0--SecretKey
@@ -342,12 +345,32 @@ alice.priv-8--SecretSubkey
 alice.priv-9--Signature
 ```
 
+```{admonition} VISUAL
+:class: warning
+
+Show a very abstract diagram of the packets of Alice's OpenPGP key (above):
+- Secret-Key packet
+- Direct Key Signature
+- User ID
+- Certifying self-signature for User ID
+- Secret-Subkey packet
+- Subkey binding signature
+- Secret-Subkey packet
+- Subkey binding signature
+- Secret-Subkey packet
+- Subkey binding signature
+```
+
+#### Joining packets into an OpenPGP key
+
 For our first step, we'll use just the first two of these packets, and join them together as a private key:
 
 ```text
 $ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_minimal.priv
 ```
 
+#### Inspecting this key
+
 This version of Alice's key contains just two packets:
 
 - The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and
@@ -649,31 +672,18 @@ Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked
 - a key packet that contains the component key itself, and
 - a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate).
 
-In this section, we'll use the files that contain individual packets of Alice's key, which we generated above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`.
-
+In this section, we'll use the files that contain individual packets of Alice's key, which we split apart above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`.
 
 ````{note}
-It's common to look at a packet dump for a full OpenPGP key (not split apart), like this:
+It's common to look at a packet dump for a full OpenPGP key, like this:
 
 ```text
 $ sq packet dump --hex alice.priv
 ```
 
-That output shows a much longer series of packets (as shown in the diagram below). This output will contain the two packets we now look at, with the exact same data, but they would be a bit harder to locate visually.
+That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's key](split_alice)). Finding a particular packet in that list can take a moment.
 
-```{admonition} VISUAL
-:class: warning
-
-Show a very abstract diagram of packets in a typical full OpenPGP key:
-- Secret-Key packet
-- Direct Key Signature
-- User ID
-- Certifying self-signature for User ID
-- Secret-Subkey packet
-- Subkey binding signature
-- Secret-Subkey packet
-- Subkey binding signature
-```
+In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above.
 ````
 
 #### Secret-Subkey packet