diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index cd4bdb7..f3d3bbd 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -237,13 +237,15 @@ Note that there are other ways besides revocations in which components can becom ## Third-party (identity) certifications -```{admonition} TODO -:class: warning +Third-party identity certifications have been a pivotal mechanism in the OpenPGP ecosystem since the beginning. The designers of PGP, beginning with Phil Zimmermann, have favored decentralized trust models, which don't hinge on centralized authorities. -This section needs to be written -``` +Third-party certifications are statements by OpenPGP users who attest that they have confirmed that a particular OpenPGP certificate belongs to a user with a particular identity. -Third-party identity certifications have historically played a pivotal role in the OpenPGP ecosystem. +For example, Bob's OpenPGP software may issue a certification that Bob has checked that the User ID `Alice Adams ` and the certificate with the fingerprint `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` are legitimately linked. + +This presupposes that Bob knows this person who goes by "Alice Adams", and is satisfied that Alice uses the email address `alice@example.org`. Further, that Bob has verified that the certificate his OpenPGP software uses for Alice matches the certificate that Alice is using. Effectively this verification must ensure that both users have a certificate for Alice with the same fingerprint. In OpenPGP version 6, manual comparison of the fingerprint by end users is discouraged. A replacement mechanism is still pending. The verification must use a sufficiently secure channel, for example an end-to-end encrypted video call, or an in-person meeting. + +For more on third-party certifications, see {ref}`third_party_cert`. ### Security considerations @@ -255,15 +257,6 @@ It also opens the door to potential denial-of-service attacks, rendering the cer The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019. -### Improved mechanisms in OpenPGP v6 - -```{admonition} TODO -:class: warning - -This section needs to be written -``` - - ## Advanced topics ```{admonition} TODO