vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-26 09:32:06 +01:00
Code Issues Projects Releases Packages Wiki Activity

ch4: new text about third-party certifications

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-15 00:03:13 +01:00
parent 441936eb98
commit 451b881c03
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 7 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
book/source/04-certificates.md
View file

@ -237,13 +237,15 @@ Note that there are other ways besides revocations in which components can becom
## Third-party (identity) certifications ## Third-party (identity) certifications
```{admonition} TODO Third-party identity certifications have been a pivotal mechanism in the OpenPGP ecosystem since the beginning. The designers of PGP, beginning with Phil Zimmermann, have favored decentralized trust models, which don't hinge on centralized authorities.
:class: warning
This section needs to be written Third-party certifications are statements by OpenPGP users who attest that they have confirmed that a particular OpenPGP certificate belongs to a user with a particular identity.
```
Third-party identity certifications have historically played a pivotal role in the OpenPGP ecosystem. For example, Bob's OpenPGP software may issue a certification that Bob has checked that the User ID `Alice Adams <alice@example.org>` and the certificate with the fingerprint `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` are legitimately linked.
This presupposes that Bob knows this person who goes by "Alice Adams", and is satisfied that Alice uses the email address `alice@example.org`. Further, that Bob has verified that the certificate his OpenPGP software uses for Alice matches the certificate that Alice is using. Effectively this verification must ensure that both users have a certificate for Alice with the same fingerprint. In OpenPGP version 6, manual comparison of the fingerprint by end users is discouraged. A replacement mechanism is still pending. The verification must use a sufficiently secure channel, for example an end-to-end encrypted video call, or an in-person meeting.
For more on third-party certifications, see {ref}`third_party_cert`.
### Security considerations ### Security considerations
@ -255,15 +257,6 @@ It also opens the door to potential denial-of-service attacks, rendering the cer
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019. The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
### Improved mechanisms in OpenPGP v6
```{admonition} TODO
:class: warning
This section needs to be written
```
## Advanced topics ## Advanced topics
```{admonition} TODO ```{admonition} TODO