mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-29 19:12:06 +01:00
ch4: new text about third-party certifications
This commit is contained in:
parent
441936eb98
commit
451b881c03
1 changed files with 7 additions and 14 deletions
|
@ -237,13 +237,15 @@ Note that there are other ways besides revocations in which components can becom
|
||||||
|
|
||||||
## Third-party (identity) certifications
|
## Third-party (identity) certifications
|
||||||
|
|
||||||
```{admonition} TODO
|
Third-party identity certifications have been a pivotal mechanism in the OpenPGP ecosystem since the beginning. The designers of PGP, beginning with Phil Zimmermann, have favored decentralized trust models, which don't hinge on centralized authorities.
|
||||||
:class: warning
|
|
||||||
|
|
||||||
This section needs to be written
|
Third-party certifications are statements by OpenPGP users who attest that they have confirmed that a particular OpenPGP certificate belongs to a user with a particular identity.
|
||||||
```
|
|
||||||
|
|
||||||
Third-party identity certifications have historically played a pivotal role in the OpenPGP ecosystem.
|
For example, Bob's OpenPGP software may issue a certification that Bob has checked that the User ID `Alice Adams <alice@example.org>` and the certificate with the fingerprint `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` are legitimately linked.
|
||||||
|
|
||||||
|
This presupposes that Bob knows this person who goes by "Alice Adams", and is satisfied that Alice uses the email address `alice@example.org`. Further, that Bob has verified that the certificate his OpenPGP software uses for Alice matches the certificate that Alice is using. Effectively this verification must ensure that both users have a certificate for Alice with the same fingerprint. In OpenPGP version 6, manual comparison of the fingerprint by end users is discouraged. A replacement mechanism is still pending. The verification must use a sufficiently secure channel, for example an end-to-end encrypted video call, or an in-person meeting.
|
||||||
|
|
||||||
|
For more on third-party certifications, see {ref}`third_party_cert`.
|
||||||
|
|
||||||
### Security considerations
|
### Security considerations
|
||||||
|
|
||||||
|
@ -255,15 +257,6 @@ It also opens the door to potential denial-of-service attacks, rendering the cer
|
||||||
|
|
||||||
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
||||||
|
|
||||||
### Improved mechanisms in OpenPGP v6
|
|
||||||
|
|
||||||
```{admonition} TODO
|
|
||||||
:class: warning
|
|
||||||
|
|
||||||
This section needs to be written
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Advanced topics
|
## Advanced topics
|
||||||
|
|
||||||
```{admonition} TODO
|
```{admonition} TODO
|
||||||
|
|
Loading…
Reference in a new issue