vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-26 17:42:06 +01:00
Code Issues Projects Releases Packages Wiki Activity

clarify that "authentication" key flag is not about validating user ids

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-21 10:13:32 +01:00
parent ff198a3413
commit 42b9e98e21
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
book/source/04-certificates.md
View file

@ -190,7 +190,9 @@ Commonly used key flags include:
- **Certification**: enables issuing third-party certifications - **Certification**: enables issuing third-party certifications
- **Signing**: allows the key to sign data - **Signing**: allows the key to sign data
- **Encryption**: allows the key to encrypt data - **Encryption**: allows the key to encrypt data
- **Authentication**: primarily used for SSH authentication - **Authentication**: primarily used for SSH authentication[^auth-flag]
[^auth-flag]: Note that the capability offered by the [authentication](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-authentication-via-digital-) key flag is unrelated to "authentication" in the context of certifying and verifying OpenPGP identities and their connection to certificates. This key flag is about a mechanism that proves control of private key material to a remote system, using cryptographic signatures.
```{note} ```{note}
Distinct component keys handle specific operations. Only the primary key can be used for certification, although it can have additional capabilities. Subkeys can be used for signing, encryption, and authentication but cannot have the certification capability. It is considered good practice, however, to [use separate keys for each capability](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-10.1.5-7). Distinct component keys handle specific operations. Only the primary key can be used for certification, although it can have additional capabilities. Subkeys can be used for signing, encryption, and authentication but cannot have the certification capability. It is considered good practice, however, to [use separate keys for each capability](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-10.1.5-7).