From a8d33c84b559e09811ea4ddcbb76d353959755e6 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 14 Dec 2023 15:17:56 +0100 Subject: [PATCH 01/39] Fix glossary link markup (Thanks, Ryan!) --- book/source/certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/certificates.md b/book/source/certificates.md index 345c75f..30e9744 100644 --- a/book/source/certificates.md +++ b/book/source/certificates.md @@ -185,7 +185,7 @@ To form an {term}`OpenPGP certificate`, individual {term}`components` In very abstract terms, the {term}`primary key` of a {term}`certificate` acts as a root of trust or "{term}`certification authority`." It is responsible for: - issuing {term}`signatures` that express the {term}`certificate holder`'s intent to use specific {term}`subkeys` or {term}`identity components`; -- conducting other lifecycle operations, including setting {term}`expiration` dates and marking {term}`components` as {term}`invalidated` or "`revoked`." +- conducting other lifecycle operations, including setting {term}`expiration` dates and marking {term}`components` as {term}`invalidated` or "{term}`revoked`." By binding {term}`components` using digital {term}`signatures`, recipients of an {term}`OpenPGP certificate` need only {term}`validate` the {term}`authenticity` of the {term}`primary key` to use for their communication partner. Traditionally, this is done by manually verifying the *{term}`fingerprint`* of the {term}`primary key`. Once the {term}`validity` of the {term}`primary key` is confirmed, the {term}`validity` of the remaining {term}`components` can be automatically assessed by the user's OpenPGP software. Generally, {term}`components` are {term}`valid` parts of a {term}`certificate` if there is a statement signed by the {term}`certificate`'s {term}`primary key` endorsing this {term}`validity`. From fde85b5d673ceff7453dd56cdb9151ca6bf69894 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 14 Dec 2023 16:09:26 +0100 Subject: [PATCH 02/39] Fix glossary link markup --- book/source/signing_components.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/signing_components.md b/book/source/signing_components.md index 7067a09..0e24ed9 100644 --- a/book/source/signing_components.md +++ b/book/source/signing_components.md @@ -29,7 +29,7 @@ This chapter expands on topics introduced in the [](certificates) chapter. {term}`Life-cycle management` operations include: - {term}`binding` additional {term}`components` to a {term}`certificate` -- modifying {term}`expiration time` or other {term}`metadata` of `components` +- modifying {term}`expiration time` or other {term}`metadata` of {term}`components` - revoking, and thus invalidating, {term}`components` or existing {term}`self-signatures` {term}`Self-signatures` are issued by the {term}`certificate's owner` using the {term}`certificate`'s {term}`primary key`. @@ -266,7 +266,7 @@ With this mechanism, for example, it is possible to {term}`delegate` (wot)= ### Web of Trust: Decentralized trust decisions -The {term}`Web of Trust` in OpenPGP is a {term}`trust model` that facilitates {term}`authentication` decisions through a network of {term}`certifications` and {term}`delegations`. It is characterized by a so-called [strong set](https://en.wikipedia.org/wiki/Web_of_trust#Strong_set), which refers to a group of {term}`certificates` that are robustly interconnected via `third-party certifications`. +The {term}`Web of Trust` in OpenPGP is a {term}`trust model` that facilitates {term}`authentication` decisions through a network of {term}`certifications` and {term}`delegations`. It is characterized by a so-called [strong set](https://en.wikipedia.org/wiki/Web_of_trust#Strong_set), which refers to a group of {term}`certificates` that are robustly interconnected via {term}`third-party certifications`. In this model, users independently {term}`delegate` {term}`authentication` decisions, choosing whose {term}`certification` to rely on. This {term}`delegation` is based on the {term}`certificates` and {term}`third-party signatures` available to them, with their {term}`OpenPGP software` applying the {term}`Web of Trust` mechanism to discern the reliability of each {term}`certificate` for an {term}`identity`. From 8b02a7a474754afadc6ff275bb12561c0b7ec7fa Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Wed, 20 Dec 2023 09:42:36 +0000 Subject: [PATCH 03/39] Edits for KO attack section Reviewed-on: https://codeberg.org/openpgp/notes/pulls/254 Co-authored-by: Tammi L. Coles Co-committed-by: Tammi L. Coles --- book/source/adv/private_keys.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/book/source/adv/private_keys.md b/book/source/adv/private_keys.md index 319a914..a277d2d 100644 --- a/book/source/adv/private_keys.md +++ b/book/source/adv/private_keys.md @@ -67,15 +67,17 @@ In addition to key management, a keystore often involves various supplementary f OpenPGP is subject to specific vulnerabilities known as key overwriting (KO) attacks. These attacks exploit weaknesses in how encrypted private keys or their metadata are handled, potentially leading to the leakage of secret data when the key is used. The core issue lies in OpenPGP's handling of Secret-Key packets, where corruption of the non-encrypted fields can cause the unaltered private key material to be used with altered parameters. This mismatch can result in private key leakage. -Importantly, KO attacks are particularly relevant when an attacker is responsible for storing a user's encrypted private key. By altering the algorithm field in the Secret-Key packet, the attacker may cause the user to perform a cryptographic operation with a different algorithm. E.g., performing a DSA operation with ECC private key material. By observing the output of that attacker-corrupted operation, the attacker can recover the user's unencrypted private key material, even though the attacker had no direct access to it. +Importantly, KO attacks are particularly relevant in scenarios where an attacker has control over the storage of a user's encrypted private key. By manipulating the algorithm field in the Secret-Key packet, the attacker may lead the user to perform a cryptographic operation with a different algorithm. For example, the user might unknowingly perform a DSA operation with ECC private key material. Although the attacker does not have direct access to the encrypted private key material, the attacker can deduce and recover the user's unencrypted private key material by observing the output of this compromised operation. ### Mitigation -Understanding KO attacks is crucial due to their potential to compromise the integrity and confidentiality of encrypted communications, and the risk of complete private key material compromise. KO attacks highlight the necessity for robust key validation procedures and the dangers of storing keys in insecure environments. OpenPGP application developers should consider if this attack class is a concern in their applications. +Understanding KO attacks is crucial due to their potential to compromise the integrity and confidentiality of encrypted communications, and the risk of complete private key material compromise. KO attacks highlight the necessity for robust key validation procedures and the dangers of storing keys in insecure environments. OpenPGP application developers should conduct a risk assessment to determine the relevance of KO attacks to their applications. -Private keys that are protected with [S2K usage mode 253 (AEAD)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-secret-key-encryption), are not vulnerable to KO attacks. This mode ensures the integrity of the private key by using its unencrypted fields (including the algorithm field) as the *authentication tag* for integrity verification in the decryption process. When an attacker alters the unencrypted part of the packet, then decryption of the private key material will fail, and the user is prevented from e.g. accidentally using the key material with an altered attacker-controlled algorithm. +Private keys secured with [S2K usage mode 253 (AEAD)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-secret-key-encryption) are safeguarded against KO attacks. This mode ensures the integrity of the private key by using its unencrypted fields, including the algorithm field, as the *authentication tag* for integrity verification in the decryption process. -Note that while S2K usage mode 253 (AEAD) has been introduced in the OpenPGP version 6 specification, it can also be applied to OpenPGP version 4 key material (also see {ref}`migration-s2k`). +When an attacker alters the unencrypted part of the Secret-Key packet, then decryption of the private key material will fail. This effectively prevents the user from unknowingly using the key material with an altered attacker-controlled algorithm. + +Note that while S2K usage mode 253 (AEAD) has been introduced in the OpenPGP version 6 specification, it can also be applied to OpenPGP version 4 key material (see {ref}`migration-s2k`). #### Resources From 0c41b6c67b6ea5209db3c981f43da459a38df378 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:20:50 +0100 Subject: [PATCH 04/39] Clarify asymmetric cryptography and its use in OpenPGP --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 76d7fed..fe3f25a 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -20,7 +20,7 @@ Algorithm Preferences See [](recipe-algorithm-preferences). Asymmetric Cryptography - Asymmetric cryptography is used in OpenPGP. For a more detailed discussion see [](public-key-cryptography). + Asymmetric cryptography (also known as public-key cryptography) is used in OpenPGP to send messages without using a prior shared secret. For a more detailed discussion see [](public-key-cryptography). Authenticated Encryption With Associated Data Short AEAD, refers to an encryption scheme that ensures confidentiality of a message. Additionally, additional data, which is not confidential, may be associated with the message. From 090e4d8f5029fbf5e56779cfb5f36737cc2a8b34 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:21:21 +0100 Subject: [PATCH 05/39] AEAD: Clarify integrity properties --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index fe3f25a..577b19b 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -23,7 +23,7 @@ Asymmetric Cryptography Asymmetric cryptography (also known as public-key cryptography) is used in OpenPGP to send messages without using a prior shared secret. For a more detailed discussion see [](public-key-cryptography). Authenticated Encryption With Associated Data - Short AEAD, refers to an encryption scheme that ensures confidentiality of a message. Additionally, additional data, which is not confidential, may be associated with the message. + Short AEAD, refers to an encryption scheme that ensures confidentiality of a message. Additionally, additional data, which is not confidential, may be associated with the message, ensuring integrity of both the confidential part of the message, as well as the additional data. See Wikipedia on [Authenticated Encryption](https://en.wikipedia.org/wiki/Authenticated_encryption). From b0363a09458d1b7c4b1f5b701f655f83afed8f5e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:21:47 +0100 Subject: [PATCH 06/39] Clarify authentication key flag --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 577b19b..304fd70 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -32,7 +32,7 @@ Authentication The term "authentication" here is semantically different from the one used in {term}`Authentication Key Flag`. Authentication Key Flag - A {term}`Key Flag`, which indicates that a {term}`Component Key` can be used to confirm control over {term}`private key material` against a remote system. The term "authentication" here is semantically different from {term}`Authentication`. See [](key-flags). + A {term}`Key Flag`, which indicates that a {term}`Component Key` can be used to confirm control over {term}`private key material` against a remote system. This is typically done to perform an authorative action, like logging into a system. The term "authentication" here is semantically different from {term}`Authentication`. See [](key-flags). Authentication Tag See {term}`Message Authentication Code`. From 020665947f708f62b4a823e85649cb4394881a79 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:22:13 +0100 Subject: [PATCH 07/39] Add that the holder is typically the owner of a cert --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 304fd70..e8ba2b5 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -69,7 +69,7 @@ Certificate Authority See {term}`Certification Authority` Certificate Holder - A person or other entity, that holds an {term}`Transferable Secret Key` and thus is able to modify the accompanying {term}`OpenPGP Certificate`. + A person or other entity, that holds an {term}`Transferable Secret Key` and thus is able to modify the accompanying {term}`OpenPGP Certificate`. Typically this is the owner of {term}`OpenPGP key`. Certification A certification, in OpenPGP, is a signature that makes a statement about an {term}`identity` in a {term}`certificate`, or an entire {term}`certificate`. From dabd87e1978b9228202dacf9c159985edd43eb0c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:22:29 +0100 Subject: [PATCH 08/39] Upper case --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index e8ba2b5..44d2ecf 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -90,7 +90,7 @@ Certification Revocation Signature Packet Certification Signature See {term}`Certification`. -Certifying Self-signature +Certifying Self-Signature An {term}`OpenPGP Signature Packet` by the {term}`Certificate Holder` on an {term}`Identity Component` of their own {term}`Certificate`. Certifying Signature From 140a5fae5c4874b2f219b924bb26d5be5d7fd564 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:22:42 +0100 Subject: [PATCH 09/39] Add entry for Compressed Data Packet --- book/source/glossary.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index 44d2ecf..7e14be2 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -112,6 +112,9 @@ Component Component Key See {term}`OpenPGP Component Key`. +Compressed Data Packet + A packet containing a compressed {term}`OpenPGP Message` (typically a {term}`Literal Data Packet`). + Compression See {term}`Data Compression`. From f0e49b52a4108c27c0ebe21b7115e4712643cc12 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:23:15 +0100 Subject: [PATCH 10/39] Creation Time: Clarify that it also applies to signatures --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 7e14be2..d653c0b 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -119,7 +119,7 @@ Compression See {term}`Data Compression`. Creation Time - The point in time at which e.g. an {term}`OpenPGP Certificate`, or one of its {term}`component` is created. + The point in time at which e.g. an {term}`OpenPGP Signature`, an {term}`OpenPGP Certificate`, or one of its {term}`component` is created. Creator See {term}`Issuer`. From 15e0b23f1682fd6056435498b10eb7a8ba4f2363 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:23:40 +0100 Subject: [PATCH 11/39] Clarify criticality some more --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index d653c0b..cd3b105 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -125,7 +125,7 @@ Creator See {term}`Issuer`. Criticality Flag - A flag on {term}`Subpacket`s, that defines their criticality, which is used for validation. See [](criticality-of-subpackets). + A flag on {term}`Subpacket`s, that can mark them as critical or non-critical, which is has an influence on signature validation. See [](criticality-of-subpackets). Cryptographic Key A {term}`symmetric` or {term}`asymmetric` cryptographic key is used for signing and encryption operations. See [](cryptography). From 68082c2fcefdeb9aa630a87528f6c4b72a427479 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:24:22 +0100 Subject: [PATCH 12/39] Clarify that a cryptographic signature is 'raw' --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index cd3b105..9e838db 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -131,7 +131,7 @@ Cryptographic Key A {term}`symmetric` or {term}`asymmetric` cryptographic key is used for signing and encryption operations. See [](cryptography). Cryptographic Signature - A raw cryptographic signature is a sequence of bytes created by a {term}`Cryptographic Key`. + A raw cryptographic signature is an algorithm-specific sequence of bytes created by a {term}`Cryptographic Key`. CTB See {term}`Cipher Type Byte`. From 2302f51fb29c18be2f9d57e0e4425fb181dc6b55 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:25:08 +0100 Subject: [PATCH 13/39] Detached signatures may not always be (for) files --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 9e838db..a2eb895 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -154,7 +154,7 @@ Delegation This kind of delegation involves {term}`certifications` that include the {term}`trust signature` subpacket. Detached Signature - A {term}`Data Signature` which exists as a separate file to the file it was created for. See [](forms-of-data-signatures). + A {term}`Data Signature` which exists separately to the data it was created for. See [](forms-of-data-signatures). Direct Key Signature A {term}`Signature` that sets preferences and advertises {term}`features` applicable to an entire {term}`Certificate`. See [](direct-key-signature). From 7445a15bfa7f876cb8f18e24fd69a1957e0934c1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:25:42 +0100 Subject: [PATCH 14/39] Clarify Direct-Key Sig is both a signature packet as well as a type --- book/source/glossary.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index a2eb895..7f75c07 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -157,7 +157,9 @@ Detached Signature A {term}`Data Signature` which exists separately to the data it was created for. See [](forms-of-data-signatures). Direct Key Signature - A {term}`Signature` that sets preferences and advertises {term}`features` applicable to an entire {term}`Certificate`. See [](direct-key-signature). + Describes both a {term}`Signature Type ID`, as well as an according {term}`OpenPGP Signature` over a {term}`Primary Key`. + + Issued as a {term}`Self-Signature` it sets preferences and advertises {term}`features` applicable to an entire {term}`Certificate`. See [](direct-key-signature). Embedded Signature Subpacket An {term}`OpenPGP Signature Subpacket` which contains a complete {term}`OpenPGP Signature Packet`. From d385a916fa12d9d5d31775f4a15dcab4d7baf6e1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:25:59 +0100 Subject: [PATCH 15/39] Add entry for Encrypted Data --- book/source/glossary.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index 7f75c07..dc23a57 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -166,6 +166,11 @@ Embedded Signature Subpacket See [RFC 5.2.3.34](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-embedded-signature) +Encrypted Data + Data that is encrypted. + + See [](/encryption.html). + Encryption Key Flag A {term}`Key Flag`, indicating that a {term}`Component Key` can be used for encrypting data. See [](key-flags). From 6edb9f5b52453f34cdd7db68d1970973ff49ff9e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:26:14 +0100 Subject: [PATCH 16/39] Clarify there are two encryption key flags --- book/source/glossary.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index dc23a57..7ba86b8 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -174,6 +174,8 @@ Encrypted Data Encryption Key Flag A {term}`Key Flag`, indicating that a {term}`Component Key` can be used for encrypting data. See [](key-flags). + There are two distinct encryption key flags, indicating that the key can encrypt communications, or data in long-term storage respectively. + Expiration A mechanism by which a {term}`Component` is invalidated due to the {term}`Expiration Time` of its {term}`binding signature` being older than the {term}`Reference Time` by which it is validated. From 9df63ba00aead94667ff7fd37bfd4adf88711952 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:26:34 +0100 Subject: [PATCH 17/39] s/A/An --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 7ba86b8..5994e9e 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -183,7 +183,7 @@ Expiration Time The time of expiry of an {term}`OpenPGP Signature Packet`. Features Subpacket - A {term}`OpenPGP Signature Subpacket`, which denotes advanced OpenPGP features an {term}`implementation` supports. + An {term}`OpenPGP Signature Subpacket`, which denotes advanced OpenPGP features an {term}`implementation` supports. For an in-depth view on these {term}`subpackets` see [](zoom-dks). From 5a4b3add35d65d8eb5e9c8a419092062d338949a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:26:53 +0100 Subject: [PATCH 18/39] Add alias 'Hash Value' --- book/source/glossary.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index 5994e9e..2a6baa6 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -208,6 +208,9 @@ Hash Digest Hash Function A function used to map data of arbitrary size to fixed-size values (see {term}`Hash Digest`). +Hash Value + See {term}`Hash Digest`. + Hashed Area An area in an {term}`OpenPGP Signature Packet` containing {term}`OpenPGP Signature Subpacket`s, that is covered by the {term}`Hash Digest` a {term}`Cryptographic Signature` is created for. See [](subpacket-areas). From c5dbc29f5159ae882e79ba80032509497f99d828 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:27:28 +0100 Subject: [PATCH 19/39] Identities are not only certified by third-parties --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 2a6baa6..58900f2 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -221,7 +221,7 @@ Hybrid Cryptosystem A cryptographic system that employs both {term}`Asymmetric Cryptography` and {term}`Symmetric Cryptography`. See [](hybrid-cryptosystems). Identity - An identity of a {term}`Certificate Holder`. It is represented by an {term}`Identity Component`, which may be certified using {term}`third-party identity certifications`, or by a {term}`Notation`. + An identity of a {term}`Certificate Holder`. It is represented by an {term}`Identity Component`, which may be certified using {term}`identity certifications`, or by a {term}`Notation`. Identity Certification An {term}`OpenPGP Signature Packet` on an {term}`Identity Component` which {term}`certifies` its {term}`authenticity`. From 0f53a1e8a6ec9d9d68c71ae848a34944a98c23b9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:27:47 +0100 Subject: [PATCH 20/39] s/a/an --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 58900f2..f87bd6c 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -242,7 +242,7 @@ Inline Signature A {term}`Data Signature` which exists encapsulated alongside the data it was created for in an OpenPGP container. See [](forms-of-data-signatures). Issuer - An entity, that created an {term}`OpenPGP Signature Packet` using an {term}`Transferable Secret Key`. + An entity, that created an {term}`OpenPGP Signature Packet` using a {term}`Transferable Secret Key`. Issuer Fingerprint Subpacket A {term}`Subpacket` specifying the {term}`Fingerprint` of an {term}`Issuer Key`. From 0737cefd2f462c5eed20cd93b3861516669b19f3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:28:05 +0100 Subject: [PATCH 21/39] Key Expiration Time is not for Signatures --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index f87bd6c..40846dc 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -268,7 +268,7 @@ Key - {term}`OpenPGP key` (which in turn refers to either an {term}`OpenPGP Certificate` or a {term}`Transferable Secret Key` Key Expiration Time Subpacket - An {term}`OpenPGP Signature Subpacket Type` which defines the {term}`Expiration Time` for an {term}`OpenPGP Signature Packet` on a {term}`key`. + An {term}`OpenPGP Signature Subpacket Type` which defines the {term}`Expiration Time` for a {term}`key`. See [RFC 5.2.3.13](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-expiration-time) From 0e24b045ffca5095397a5750578d8476790fc95a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:28:22 +0100 Subject: [PATCH 22/39] Key Servers are services --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 40846dc..0b55967 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -292,7 +292,7 @@ Key Revocation Signature Packet A {term}`Revocation Self-signature` for an entire {term}`OpenPGP Certificate`. Key Server - A piece of software available over the network, which provides access to {term}`OpenPGP Certificates` e.g., by searching for an {term}`OpenPGP Fingerprint` or {term}`User ID`, via the `HKP` and/ or `HKPS` protocols. + A service available over the network, which provides access to {term}`OpenPGP Certificates` e.g., by searching for an {term}`OpenPGP Fingerprint` or {term}`User ID`, via the `HKP` and/ or `HKPS` protocols. Several implementations such as [hagrid](https://gitlab.com/keys.openpgp.org/hagrid/), or [hockeypuck](https://github.com/hockeypuck/hockeypuck) exist. Life-cycle Management From 9bc2927f0fee863f8d9b4ca14fa721e2dae98ce3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:28:43 +0100 Subject: [PATCH 23/39] Literal Data Packets are not Signautre Packets --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 0b55967..c501965 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -301,7 +301,7 @@ Life-cycle Management See [](self-signatures). Literal Data Packet - A {term}`packet` in a {term}`Data Signature` which contains data, that has been signed using a {term}`cryptographic signature`. See [RFC 5.9](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#lit) for more details. + A packet which contains the plaintext data of an encrypted and/or signed message. See [RFC 5.9](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#lit) for more details. MAC See {term}`Message Authentication Code`. From bc7f63c4e2a2bf0dae6a3451b2081c5928261893 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:28:58 +0100 Subject: [PATCH 24/39] Clarify meta-introducer --- book/source/glossary.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index c501965..f48826e 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -315,6 +315,8 @@ Message Authentication Code Meta-Introducer An {term}`OpenPGP Certificate` with a {term}`Trust Depth` greater than one. + A meta-introducer can introduce other (meta-) introducers. + Metadata Data related to preferences of an {term}`OpenPGP Certificate` or its {term}`Certificate Holder`, that can be found in {term}`signature` {term}`packets`. See [](metadata-in-certificates). From 78a8677a54deee7bf8c5a50348860780e1177c21 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:29:29 +0100 Subject: [PATCH 25/39] An OpenPGP message does not contain certificates, but literal, encrypted, compressed or signed data --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index f48826e..0a0f1cd 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -350,7 +350,7 @@ OpenPGP Key Used either for an {term}`OpenPGP Certificate` (containing public key material and metadata), or for an {term}`OpenPGP Private Key`. See [](/certificates) for an in-depth discussion. OpenPGP Message - A data structure, which contains OpenPGP components such as {term}`OpenPGP Certificate` or {term}`OpenPGP Signature Packet` and plaintext or encrypted data. + A data structure, which contains OpenPGP packets, such as {term}`literal`, {term}`compressed`, {term}`encrypted` or {term}`signed` data. OpenPGP Public Key See {term}`OpenPGP Certificate`. From 920ab3c9b93a462d233754ef5efafc3a91f83a75 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:30:10 +0100 Subject: [PATCH 26/39] Packets are not exclusively used for Certificates --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 0a0f1cd..73e0382 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -386,7 +386,7 @@ Owner See {term}`Certificate Holder`. Packet - An element in an {term}`OpenPGP Certificate`, which represents {term}`components` or {term}`signatures`. + An element in an {term}`OpenPGP Certificate` or {term}`OpenPGP Message`. Packet Header A section of variable length at the beginning of a {term}`Packet`, which encodes for example the {term}`Packet Type ID`. See the relevant [section in the RFC](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-packet-headers), which explains this section in more detail. From ec1278628d6fd33fadf53689f276543dc04f6846 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:30:46 +0100 Subject: [PATCH 27/39] Clarify preferences are for certificates or subkeys --- book/source/glossary.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 73e0382..f95fb15 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -403,22 +403,22 @@ Positive Certification See [](bind-identity). Preferred Compression Algorithms Subpacket - An {term}`OpenPGP Signature Subpacket Type` which defines the preferred {term}`compression algorithms` for an {term}`OpenPGP Signature Packet`. This defines which {term}`algorithms` the {term}`key holder` prefers to use. + An {term}`OpenPGP Signature Subpacket Type` which defines the preferred {term}`compression algorithms` for an {term}`OpenPGP Certificate` or {term}`Component Key`. This defines which {term}`algorithms` the {term}`key holder` prefers to receive. See [RFC 5.2.3.17](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-preferred-compression-algor). Preferred Hash Algorithms Subpacket - An {term}`OpenPGP Signature Subpacket Type` which defines the preferred {term}`hash algorithm` for an {term}`OpenPGP Signature Packet`. This defines which algorithms the {term}`key holder` prefers to receive. + An {term}`OpenPGP Signature Subpacket Type` which defines the preferred {term}`hash algorithm` for an {term}`OpenPGP Certificate` or {term}`Component Key`. This defines which algorithms the {term}`key holder` prefers to receive. See [RFC 5.2.3.16](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-preferred-hash-algorithms). Preferred Symmetric Ciphers for v1 SEIPD Subpacket - An {term}`OpenPGP Signature Subpacket Type` which defines the preferred version 1 {term}`SEIPD` algorithms for an {term}`OpenPGP Signature Packet`. This defines which algorithms the {term}`key holder` prefers to receive and implicitly signifies the supported algorithms of the {term}`key holder`'s {term}`implementation`. + An {term}`OpenPGP Signature Subpacket Type` which defines the preferred version 1 {term}`SEIPD` algorithms for an {term}`OpenPGP Certificate` or {term}`Component Key`. This defines which algorithms the {term}`key holder` prefers to receive and implicitly signifies the supported algorithms of the {term}`key holder`'s {term}`implementation`. See [RFC 5.2.3.14](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-preferred-symmetric-ciphers). Preferred AEAD Ciphersuites Subpacket - An {term}`OpenPGP Signature Subpacket Type` which defines the preferred version 2 {term}`SEIPD` algorithms for an {term}`OpenPGP Signature Packet`. This defines which algorithms the {term}`key holder` prefers to receive and implicitly signifies the supported algorithms of the {term}`key holder`'s {term}`implementation`. + An {term}`OpenPGP Signature Subpacket Type` which defines the preferred version 2 {term}`SEIPD` algorithms for an {term}`OpenPGP Certificate` or {term}`Component Key`. This defines which algorithms the {term}`key holder` prefers to receive and implicitly signifies the supported algorithms of the {term}`key holder`'s {term}`implementation`. See [RFC 5.2.3.15](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-preferred-aead-ciphersuites) From ecaa4a1299ad06bb01af85d7983132c4e6af9b42 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:31:04 +0100 Subject: [PATCH 28/39] Reference time is for certificate or signature evaluation --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index f95fb15..71fe528 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -478,7 +478,7 @@ Reason For Revocation Subpacket See [RFC 5.2.3.31](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-reason-for-revocation) Reference Time - A point in time at which an {term}`OpenPGP Certificate` is evaluated. + A point in time at which an {term}`OpenPGP Certificate` or {term}`OpenPGP Signature` is evaluated. Regular Expression Subpacket An {term}`OpenPGP Signature Subpacket` which allows for limiting {term}`delegations` to {term}`identities` matching a regular expression. From 08fedd32d8a3f8a21e043f399b0464ded4c03e26 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:31:28 +0100 Subject: [PATCH 29/39] Third-party identity certifications certify identity claims --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 71fe528..08794e4 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -626,7 +626,7 @@ Text Signature A {term}`signature packet` with the {term}`Signature Type ID` `0x01`, which is used for textual data. Third-party Identity Certification - {term}`Certification` by third-parties to confirm ownership of an {term}`OpenPGP Certificate` by a {term}`Certificate Holder`. See [](third-party-identity-certifications). + {term}`Certification` by third-parties to confirm ownership of an {term}`OpenPGP Certificate` ({term}`Identity Claim`) by a {term}`Certificate Holder`. See [](third-party-identity-certifications). Third-party Signature A {term}`Signature` by a third-party on a {term}`Component` of a {term}`Certificate`. From d3cdbd43668b1f4481aa8271701b673f07e031a8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:31:47 +0100 Subject: [PATCH 30/39] Clarify User-Attributes contain complex data --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 08794e4..a422284 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -684,7 +684,7 @@ Unhashed Subpacket A {term}`Signature Subpacket` residing in the {term}`Unhashed Area` of a {term}`Signature Packet`. User Attribute - An {term}`Identity Component`, which may hold a single JPEG image. See [](user-attributes). + An {term}`Identity Component`, which may hold complex attribute data, e.g. a single JPEG image. See [](user-attributes). User ID An {term}`Identity Component`, which describes an {term}`Identity` of a {term}`Certificate Holder`. See [](user-ids). From e4b5c4d64b00782ab24e69cb58ad7cc853ae16c0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:32:08 +0100 Subject: [PATCH 31/39] Remove specifics from Cryptographic Key --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index a422284..f2812b9 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -128,7 +128,7 @@ Criticality Flag A flag on {term}`Subpacket`s, that can mark them as critical or non-critical, which is has an influence on signature validation. See [](criticality-of-subpackets). Cryptographic Key - A {term}`symmetric` or {term}`asymmetric` cryptographic key is used for signing and encryption operations. See [](cryptography). + A {term}`symmetric` or {term}`asymmetric` cryptographic key. See [](cryptography). Cryptographic Signature A raw cryptographic signature is an algorithm-specific sequence of bytes created by a {term}`Cryptographic Key`. From ebc7530cdb3f82c9906dbc1d501adf6268417ae7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 21 Dec 2023 15:33:07 +0100 Subject: [PATCH 32/39] Fix link --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index f2812b9..d1bad65 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -169,7 +169,7 @@ Embedded Signature Subpacket Encrypted Data Data that is encrypted. - See [](/encryption.html). + See [](/encryption). Encryption Key Flag A {term}`Key Flag`, indicating that a {term}`Component Key` can be used for encrypting data. See [](key-flags). From 6820d60661ae096963c6ecacc1921b909625d93b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:02:28 +0100 Subject: [PATCH 33/39] Identity certifications can be both self-signatures or third-party --- book/source/glossary.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/book/source/glossary.md b/book/source/glossary.md index d1bad65..e84c2ec 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -225,6 +225,10 @@ Identity Identity Certification An {term}`OpenPGP Signature Packet` on an {term}`Identity Component` which {term}`certifies` its {term}`authenticity`. + + Identity certifications can be issued either: + - by the certificate holder, as a {term}`self-signature`, or + - by a third party, as a {term}`third-party identity certifications`. Identity Claim A {term}`Certificate Holder` may use {term}`Identity Components` or {term}`Notations` to state a claim about their {term}`Identity`. From cf169edaf68d3f8da71810bcd6077f5236c538be Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:06:02 +0100 Subject: [PATCH 34/39] Add link --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index e84c2ec..4e8363e 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -305,7 +305,7 @@ Life-cycle Management See [](self-signatures). Literal Data Packet - A packet which contains the plaintext data of an encrypted and/or signed message. See [RFC 5.9](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#lit) for more details. + A {term}`packet` which contains the plaintext data of an encrypted and/or signed message. See [RFC 5.9](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#lit) for more details. MAC See {term}`Message Authentication Code`. From 54bb1927c1781062e8743683ee039a595defb885 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:14:09 +0100 Subject: [PATCH 35/39] Link "Trusted introducer" from "Meta Introducer" --- book/source/glossary.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 4e8363e..66b8adc 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -317,9 +317,9 @@ Message Authentication Code A piece of information used for integrity and {term}`authenticity` verification of a message. See [](message-authentication-code). Meta-Introducer - An {term}`OpenPGP Certificate` with a {term}`Trust Depth` greater than one. + An {term}`OpenPGP Certificate` that acts as a {term}`Trusted introducer` and has a {term}`Trust Depth` greater than one. - A meta-introducer can introduce other (meta-) introducers. + A meta-introducer can introduce other (meta-) {term}`introducers`. Metadata Data related to preferences of an {term}`OpenPGP Certificate` or its {term}`Certificate Holder`, that can be found in {term}`signature` {term}`packets`. See [](metadata-in-certificates). From e0c99b21a15cf63e36cd422af94800477a39cff0 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:16:04 +0100 Subject: [PATCH 36/39] Adjust styling of "Meta Introducer" to the RFC (no dash) --- book/source/glossary.md | 4 ++-- book/source/signing_components.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index 66b8adc..d3e07e5 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -316,10 +316,10 @@ Master Key Message Authentication Code A piece of information used for integrity and {term}`authenticity` verification of a message. See [](message-authentication-code). -Meta-Introducer +Meta Introducer An {term}`OpenPGP Certificate` that acts as a {term}`Trusted introducer` and has a {term}`Trust Depth` greater than one. - A meta-introducer can introduce other (meta-) {term}`introducers`. + A meta introducer can introduce other (meta-) {term}`introducers`. Metadata Data related to preferences of an {term}`OpenPGP Certificate` or its {term}`Certificate Holder`, that can be found in {term}`signature` {term}`packets`. See [](metadata-in-certificates). diff --git a/book/source/signing_components.md b/book/source/signing_components.md index 0e24ed9..c7d4286 100644 --- a/book/source/signing_components.md +++ b/book/source/signing_components.md @@ -241,7 +241,7 @@ OpenPGP uses [*trust signature*](https://www.ietf.org/archive/id/draft-ietf-open (trust-level)= #### Trust depth/level -The "{term}`trust depth`" (or {term}`level`) in OpenPGP signifies the extent of transitive {term}`delegation` within the {term}`authentication` process. It determines how far a {term}`delegation` can be extended from the original {term}`trusted introducer` to subsequent intermediaries. Essentially, a {term}`certificate` with a {term}`trust depth` of more than one acts as a "{term}`meta-introducer`," facilitating {term}`authentication` decisions across multiple levels in the network. +The "{term}`trust depth`" (or {term}`level`) in OpenPGP signifies the extent of transitive {term}`delegation` within the {term}`authentication` process. It determines how far a {term}`delegation` can be extended from the original {term}`trusted introducer` to subsequent intermediaries. Essentially, a {term}`certificate` with a {term}`trust depth` of more than one acts as a "{term}`meta introducer`," facilitating {term}`authentication` decisions across multiple levels in the network. A {term}`trust depth` of 1 means relying on {term}`certifications` made directly by the {term}`trusted introducer`. The user's OpenPGP software will accept {term}`certifications` made directly by the {term}`introducer` for {term}`authenticating` identities. From c6a020d8f7935608691d724bf64be8981a06a5f6 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:31:00 +0100 Subject: [PATCH 37/39] Normalize link syntax --- book/source/glossary.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index d3e07e5..ae47e74 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -49,12 +49,12 @@ Binary Signature Binding The process of creating a {term}`Binding Signature` for a {term}`Component`, or the resulting {term}`Binding Signature`. - See {ref}`binding-signatures` for more. + See [](binding-signatures) for more. Binding Signature A {term}`self-signature` on a {term}`component` which associates that {term}`component` to the issuing {term}`component key` in a {term}`certificate`. - See {ref}`binding-signatures` for more. + See [](binding-signatures) for more. CA See {term}`Certification Authority`. @@ -670,7 +670,7 @@ Trust Signature Trusted introducer OpenPGP users can choose to rely on {term}`certifications` issued by a third party. The remote party of such a {term}`delegation` is called a "trusted introducer". - See {ref}`delegation` for more details. + See [](delegation) for more details. TSK See {term}`Transferable Secret Key`. From 8865cbf0e116aec4e01e15195acb6da89ccb07a5 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 22 Dec 2023 15:40:05 +0100 Subject: [PATCH 38/39] Expand on "Authentication Key Flag" --- book/source/glossary.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index ae47e74..c0a3bd5 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -32,7 +32,9 @@ Authentication The term "authentication" here is semantically different from the one used in {term}`Authentication Key Flag`. Authentication Key Flag - A {term}`Key Flag`, which indicates that a {term}`Component Key` can be used to confirm control over {term}`private key material` against a remote system. This is typically done to perform an authorative action, like logging into a system. The term "authentication" here is semantically different from {term}`Authentication`. See [](key-flags). + A {term}`Key Flag` which indicates that a {term}`Component Key` can be used to prove control over {term}`private key material` with a challenge-response mechanism. This is typically done to log into a remote system, often using the OpenSSH protocol. + + Note that the term "authentication" is used in a different context here than {term}`Authentication` of {term}`identity claims` that are associated with a {term}`certificate`. See [](key-flags). Authentication Tag See {term}`Message Authentication Code`. From ffa24596a4e77f25a27df3c12c7fcb350a00ccde Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 20 Dec 2023 10:55:51 +0100 Subject: [PATCH 39/39] Optimize away additional glossary hop --- book/source/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/glossary.md b/book/source/glossary.md index c0a3bd5..40c2fa3 100644 --- a/book/source/glossary.md +++ b/book/source/glossary.md @@ -574,7 +574,7 @@ Signature Type See {term}`OpenPGP Signature Type`. Signature Type ID - A numerical identifier for a {term}`Signature Type`. + A numerical identifier for a {term}`Signature Type`. Signature Verification In cryptography the mechanism of verification relates to a process in which a claim (i.e., a {term}`signature`) is tested (i.e., using the relevant {term}`components` of a {term}`certificate`).