vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-22 07:32:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

ch4: new text about third-party certifications

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-15 00:03:13 +01:00
parent 441936eb98
commit 451b881c03
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 7 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
book/source/04-certificates.md
View file

@ -237,13 +237,15 @@ Note that there are other ways besides revocations in which components can becom
## Third-party (identity) certifications
```{admonition} TODO
:class: warning
Third-party identity certifications have been a pivotal mechanism in the OpenPGP ecosystem since the beginning. The designers of PGP, beginning with Phil Zimmermann, have favored decentralized trust models, which don't hinge on centralized authorities.
This section needs to be written
```
Third-party certifications are statements by OpenPGP users who attest that they have confirmed that a particular OpenPGP certificate belongs to a user with a particular identity.
Third-party identity certifications have historically played a pivotal role in the OpenPGP ecosystem.
For example, Bob's OpenPGP software may issue a certification that Bob has checked that the User ID `Alice Adams <alice@example.org>` and the certificate with the fingerprint `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` are legitimately linked.
This presupposes that Bob knows this person who goes by "Alice Adams", and is satisfied that Alice uses the email address `alice@example.org`. Further, that Bob has verified that the certificate his OpenPGP software uses for Alice matches the certificate that Alice is using. Effectively this verification must ensure that both users have a certificate for Alice with the same fingerprint. In OpenPGP version 6, manual comparison of the fingerprint by end users is discouraged. A replacement mechanism is still pending. The verification must use a sufficiently secure channel, for example an end-to-end encrypted video call, or an in-person meeting.
For more on third-party certifications, see {ref}`third_party_cert`.
### Security considerations
@ -255,15 +257,6 @@ It also opens the door to potential denial-of-service attacks, rendering the cer
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
### Improved mechanisms in OpenPGP v6
```{admonition} TODO
:class: warning
This section needs to be written
```
## Advanced topics
```{admonition} TODO