From 8aa34dfa59b67fe9a500c23497d56115aea93281 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 21 Sep 2023 15:46:03 +0200 Subject: [PATCH] ch4: fold outline notes into section structure --- book/source/04-certificates.md | 63 ++++++++++++++-------------------- 1 file changed, 26 insertions(+), 37 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index b743f37..449b083 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -1,36 +1,6 @@ (certificates_chapter)= # Certificates / Keys -``` -## What is in a certificate (Structure) - -### Subkeys - -### User IDs / attributes - - Primary UserID and its implications - -### Third party signatures - - Metadata Leak of Social Graph - - How to generate "minimized" certificate? - -### Bindings - -### Signature Subpackets - -- (key-) expiration -- flags - -## Certificate Management - -### Merging - - How to merge two copies of the same certificate? - - Canonicalization - -### Best Practices regarding Key Freshness - - Expiry - - Subkey rotation -``` - One central (and non-trivial) element of OpenPGP are certificates/keys. OpenPGP keys are relatively complex data structures, so it's good to have a clear mental model of them. @@ -41,7 +11,7 @@ In the OpenPGP space, the term "key" has historically been used for three distinct concepts, at three layers, all related to each other: - (Bare) "cryptographic keys" (without additional metadata). -Those might be the secret and/or public parameters that form a key, e.g. in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`. + Those might be the secret and/or public parameters that form a key, e.g., in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`. - OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys". Those are building blocks of OpenPGP certificates, they consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time). @@ -52,6 +22,7 @@ Those might be the secret and/or public parameters that form a key, e.g. in case In the following section we'll look more closely at these three layers. + ## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata A complete "OpenPGP certificate" or "OpenPGP key" is composed of an @@ -74,7 +45,7 @@ consists mainly of a cryptographic keypair: ![Image](diag/cryptographic_keys.png "A cryptographic keypair") A cryptographic keypair consists of a private and a public part. -In this document we'll show the public part of a cryptographic key in green, +In this document, we'll show the public part of a cryptographic key in green, and the private part in red. We'll visualize cryptographic keypairs in a more compact form: @@ -103,7 +74,7 @@ The fingerprint of the primary key has a central role. It is used as the unique identifier for the full OpenPGP certificate. -## Components of an OpenPGP key/certificate +## What is in a certificate (Structure) / Components of an OpenPGP key/certificate In addition to the primary key, OpenPGP keys/certificates can contain a number of other components: @@ -141,7 +112,6 @@ type of operation (specifically: to allow only *Certification* operations for the primary key, and to have separate *Signing*, *Encryption* and *Authentication* subkeys). - ### User IDs An OpenPGP certificate can contain any number of User IDs. @@ -151,12 +121,14 @@ Typically, these identities are composed of a name and an email address. ![Image](diag/user_id.png "OpenPGP certificates can contain any number of User IDs") +#### Primary UserID and its implications + ### User attributes User attributes are similar to User IDs, but less commonly used. -## Linking the components of an OpenPGP certificate together +## Linking the components of an OpenPGP certificate together / Bindings Technically, an OpenPGP certificate consists of a sequence of OpenPGP packets. These packets are just stringed together, one after the other. @@ -187,6 +159,11 @@ The subkey binding signature also adds metadata. ![Image](diag/subkey_binding.png "Linking an OpenPGP subkey to the primary key with a binding signature") +#### Signature Subpackets + +- (key-) expiration +- flags + #### Binding signing subkeys When binding a signing subkey to a primary key, it is not sufficient that the "primary @@ -201,7 +178,7 @@ a "back signature" (because the subkey uses the signature to point "back" to the primary key). -### Certifying identity claims +### Certifying identity claims / Third party signatures OpenPGP certificate often contain identity markers. Typically in the form of "User ID"s (however, User Attributes are analogous for the purpose of @@ -216,11 +193,23 @@ is created. The signature is issued using the primary (secret) key. ![Image](diag/user_id_certification.png "Linking a User ID to an OpenPGP certificate") +#### Metadata Leak of Social Graph -## Evolution of a certificate over time +#### How to generate "minimized" certificate? + + +## Certificate Management / Evolution of a certificate over time Minimized versions, merging, effective "append only" semantics, ... +### Merging +- How to merge two copies of the same certificate? +- Canonicalization + +### Best Practices regarding Key Freshness +- Expiry +- Subkey rotation +- ## Third party (identity) certifications ## Revocations