vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-22 23:52:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

ch4: fold outline notes into section structure

Browse source
This commit is contained in:
Heiko Schaefer 2023-09-21 15:46:03 +02:00
parent 46c465ed06
commit 8aa34dfa59
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
1 changed files with 26 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
book/source/04-certificates.md
View file

@ -1,36 +1,6 @@
(certificates_chapter)=
# Certificates / Keys
```
## What is in a certificate (Structure)
### Subkeys
### User IDs / attributes
- Primary UserID and its implications
### Third party signatures
- Metadata Leak of Social Graph
- How to generate "minimized" certificate?
### Bindings
### Signature Subpackets
- (key-) expiration
- flags
## Certificate Management
### Merging
- How to merge two copies of the same certificate?
- Canonicalization
### Best Practices regarding Key Freshness
- Expiry
- Subkey rotation
```
One central (and non-trivial) element of OpenPGP are certificates/keys.
OpenPGP keys are relatively complex data structures, so it's good to have
a clear mental model of them.
@ -41,7 +11,7 @@ In the OpenPGP space, the term "key" has historically been used for three
distinct concepts, at three layers, all related to each other:
- (Bare) "cryptographic keys" (without additional metadata).
Those might be the secret and/or public parameters that form a key, e.g. in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
Those might be the secret and/or public parameters that form a key, e.g., in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
- OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys".
Those are building blocks of OpenPGP certificates,
they consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time).
@ -52,6 +22,7 @@ Those might be the secret and/or public parameters that form a key, e.g. in case
In the following section we'll look more closely at these three layers.
## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata
A complete "OpenPGP certificate" or "OpenPGP key" is composed of an
@ -74,7 +45,7 @@ consists mainly of a cryptographic keypair:
![Image](diag/cryptographic_keys.png "A cryptographic keypair")
A cryptographic keypair consists of a private and a public part.
In this document we'll show the public part of a cryptographic key in green,
In this document, we'll show the public part of a cryptographic key in green,
and the private part in red.
We'll visualize cryptographic keypairs in a more compact form:
@ -103,7 +74,7 @@ The fingerprint of the primary key has a central role.
It is used as the unique identifier for the full OpenPGP certificate.
## Components of an OpenPGP key/certificate
## What is in a certificate (Structure) / Components of an OpenPGP key/certificate
In addition to the primary key, OpenPGP keys/certificates can contain a
number of other components:
@ -141,7 +112,6 @@ type of operation (specifically: to allow only *Certification* operations
for the primary key, and to have separate *Signing*, *Encryption* and
*Authentication* subkeys).
### User IDs
An OpenPGP certificate can contain any number of User IDs.
@ -151,12 +121,14 @@ Typically, these identities are composed of a name and an email address.
![Image](diag/user_id.png "OpenPGP certificates can contain any number of User IDs")
#### Primary UserID and its implications
### User attributes
User attributes are similar to User IDs, but less commonly used.
## Linking the components of an OpenPGP certificate together
## Linking the components of an OpenPGP certificate together / Bindings
Technically, an OpenPGP certificate consists of a sequence of OpenPGP packets.
These packets are just stringed together, one after the other.
@ -187,6 +159,11 @@ The subkey binding signature also adds metadata.
![Image](diag/subkey_binding.png "Linking an OpenPGP subkey to the primary key with a binding signature")
#### Signature Subpackets
- (key-) expiration
- flags
#### Binding signing subkeys
When binding a signing subkey to a primary key, it is not sufficient that the "primary
@ -201,7 +178,7 @@ a "back signature" (because the subkey uses the signature to point "back"
to the primary key).
### Certifying identity claims
### Certifying identity claims / Third party signatures
OpenPGP certificate often contain identity markers. Typically in the form
of "User ID"s (however, User Attributes are analogous for the purpose of
@ -216,11 +193,23 @@ is created. The signature is issued using the primary (secret) key.
![Image](diag/user_id_certification.png "Linking a User ID to an OpenPGP certificate")
#### Metadata Leak of Social Graph
## Evolution of a certificate over time
#### How to generate "minimized" certificate?
## Certificate Management / Evolution of a certificate over time
Minimized versions, merging, effective "append only" semantics, ...
### Merging
- How to merge two copies of the same certificate?
- Canonicalization
### Best Practices regarding Key Freshness
- Expiry
- Subkey rotation
-
## Third party (identity) certifications
## Revocations