mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-26 17:42:06 +01:00
ch4: fold outline notes into section structure
This commit is contained in:
parent
46c465ed06
commit
8aa34dfa59
1 changed files with 26 additions and 37 deletions
|
@ -1,36 +1,6 @@
|
||||||
(certificates_chapter)=
|
(certificates_chapter)=
|
||||||
# Certificates / Keys
|
# Certificates / Keys
|
||||||
|
|
||||||
```
|
|
||||||
## What is in a certificate (Structure)
|
|
||||||
|
|
||||||
### Subkeys
|
|
||||||
|
|
||||||
### User IDs / attributes
|
|
||||||
- Primary UserID and its implications
|
|
||||||
|
|
||||||
### Third party signatures
|
|
||||||
- Metadata Leak of Social Graph
|
|
||||||
- How to generate "minimized" certificate?
|
|
||||||
|
|
||||||
### Bindings
|
|
||||||
|
|
||||||
### Signature Subpackets
|
|
||||||
|
|
||||||
- (key-) expiration
|
|
||||||
- flags
|
|
||||||
|
|
||||||
## Certificate Management
|
|
||||||
|
|
||||||
### Merging
|
|
||||||
- How to merge two copies of the same certificate?
|
|
||||||
- Canonicalization
|
|
||||||
|
|
||||||
### Best Practices regarding Key Freshness
|
|
||||||
- Expiry
|
|
||||||
- Subkey rotation
|
|
||||||
```
|
|
||||||
|
|
||||||
One central (and non-trivial) element of OpenPGP are certificates/keys.
|
One central (and non-trivial) element of OpenPGP are certificates/keys.
|
||||||
OpenPGP keys are relatively complex data structures, so it's good to have
|
OpenPGP keys are relatively complex data structures, so it's good to have
|
||||||
a clear mental model of them.
|
a clear mental model of them.
|
||||||
|
@ -41,7 +11,7 @@ In the OpenPGP space, the term "key" has historically been used for three
|
||||||
distinct concepts, at three layers, all related to each other:
|
distinct concepts, at three layers, all related to each other:
|
||||||
|
|
||||||
- (Bare) "cryptographic keys" (without additional metadata).
|
- (Bare) "cryptographic keys" (without additional metadata).
|
||||||
Those might be the secret and/or public parameters that form a key, e.g. in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
|
Those might be the secret and/or public parameters that form a key, e.g., in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
|
||||||
- OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys".
|
- OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys".
|
||||||
Those are building blocks of OpenPGP certificates,
|
Those are building blocks of OpenPGP certificates,
|
||||||
they consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time).
|
they consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time).
|
||||||
|
@ -52,6 +22,7 @@ Those might be the secret and/or public parameters that form a key, e.g. in case
|
||||||
|
|
||||||
In the following section we'll look more closely at these three layers.
|
In the following section we'll look more closely at these three layers.
|
||||||
|
|
||||||
|
|
||||||
## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata
|
## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata
|
||||||
|
|
||||||
A complete "OpenPGP certificate" or "OpenPGP key" is composed of an
|
A complete "OpenPGP certificate" or "OpenPGP key" is composed of an
|
||||||
|
@ -74,7 +45,7 @@ consists mainly of a cryptographic keypair:
|
||||||
![Image](diag/cryptographic_keys.png "A cryptographic keypair")
|
![Image](diag/cryptographic_keys.png "A cryptographic keypair")
|
||||||
|
|
||||||
A cryptographic keypair consists of a private and a public part.
|
A cryptographic keypair consists of a private and a public part.
|
||||||
In this document we'll show the public part of a cryptographic key in green,
|
In this document, we'll show the public part of a cryptographic key in green,
|
||||||
and the private part in red.
|
and the private part in red.
|
||||||
|
|
||||||
We'll visualize cryptographic keypairs in a more compact form:
|
We'll visualize cryptographic keypairs in a more compact form:
|
||||||
|
@ -103,7 +74,7 @@ The fingerprint of the primary key has a central role.
|
||||||
It is used as the unique identifier for the full OpenPGP certificate.
|
It is used as the unique identifier for the full OpenPGP certificate.
|
||||||
|
|
||||||
|
|
||||||
## Components of an OpenPGP key/certificate
|
## What is in a certificate (Structure) / Components of an OpenPGP key/certificate
|
||||||
|
|
||||||
In addition to the primary key, OpenPGP keys/certificates can contain a
|
In addition to the primary key, OpenPGP keys/certificates can contain a
|
||||||
number of other components:
|
number of other components:
|
||||||
|
@ -141,7 +112,6 @@ type of operation (specifically: to allow only *Certification* operations
|
||||||
for the primary key, and to have separate *Signing*, *Encryption* and
|
for the primary key, and to have separate *Signing*, *Encryption* and
|
||||||
*Authentication* subkeys).
|
*Authentication* subkeys).
|
||||||
|
|
||||||
|
|
||||||
### User IDs
|
### User IDs
|
||||||
|
|
||||||
An OpenPGP certificate can contain any number of User IDs.
|
An OpenPGP certificate can contain any number of User IDs.
|
||||||
|
@ -151,12 +121,14 @@ Typically, these identities are composed of a name and an email address.
|
||||||
|
|
||||||
![Image](diag/user_id.png "OpenPGP certificates can contain any number of User IDs")
|
![Image](diag/user_id.png "OpenPGP certificates can contain any number of User IDs")
|
||||||
|
|
||||||
|
#### Primary UserID and its implications
|
||||||
|
|
||||||
### User attributes
|
### User attributes
|
||||||
|
|
||||||
User attributes are similar to User IDs, but less commonly used.
|
User attributes are similar to User IDs, but less commonly used.
|
||||||
|
|
||||||
|
|
||||||
## Linking the components of an OpenPGP certificate together
|
## Linking the components of an OpenPGP certificate together / Bindings
|
||||||
|
|
||||||
Technically, an OpenPGP certificate consists of a sequence of OpenPGP packets.
|
Technically, an OpenPGP certificate consists of a sequence of OpenPGP packets.
|
||||||
These packets are just stringed together, one after the other.
|
These packets are just stringed together, one after the other.
|
||||||
|
@ -187,6 +159,11 @@ The subkey binding signature also adds metadata.
|
||||||
|
|
||||||
![Image](diag/subkey_binding.png "Linking an OpenPGP subkey to the primary key with a binding signature")
|
![Image](diag/subkey_binding.png "Linking an OpenPGP subkey to the primary key with a binding signature")
|
||||||
|
|
||||||
|
#### Signature Subpackets
|
||||||
|
|
||||||
|
- (key-) expiration
|
||||||
|
- flags
|
||||||
|
|
||||||
#### Binding signing subkeys
|
#### Binding signing subkeys
|
||||||
|
|
||||||
When binding a signing subkey to a primary key, it is not sufficient that the "primary
|
When binding a signing subkey to a primary key, it is not sufficient that the "primary
|
||||||
|
@ -201,7 +178,7 @@ a "back signature" (because the subkey uses the signature to point "back"
|
||||||
to the primary key).
|
to the primary key).
|
||||||
|
|
||||||
|
|
||||||
### Certifying identity claims
|
### Certifying identity claims / Third party signatures
|
||||||
|
|
||||||
OpenPGP certificate often contain identity markers. Typically in the form
|
OpenPGP certificate often contain identity markers. Typically in the form
|
||||||
of "User ID"s (however, User Attributes are analogous for the purpose of
|
of "User ID"s (however, User Attributes are analogous for the purpose of
|
||||||
|
@ -216,11 +193,23 @@ is created. The signature is issued using the primary (secret) key.
|
||||||
|
|
||||||
![Image](diag/user_id_certification.png "Linking a User ID to an OpenPGP certificate")
|
![Image](diag/user_id_certification.png "Linking a User ID to an OpenPGP certificate")
|
||||||
|
|
||||||
|
#### Metadata Leak of Social Graph
|
||||||
|
|
||||||
## Evolution of a certificate over time
|
#### How to generate "minimized" certificate?
|
||||||
|
|
||||||
|
|
||||||
|
## Certificate Management / Evolution of a certificate over time
|
||||||
|
|
||||||
Minimized versions, merging, effective "append only" semantics, ...
|
Minimized versions, merging, effective "append only" semantics, ...
|
||||||
|
|
||||||
|
### Merging
|
||||||
|
- How to merge two copies of the same certificate?
|
||||||
|
- Canonicalization
|
||||||
|
|
||||||
|
### Best Practices regarding Key Freshness
|
||||||
|
- Expiry
|
||||||
|
- Subkey rotation
|
||||||
|
-
|
||||||
## Third party (identity) certifications
|
## Third party (identity) certifications
|
||||||
|
|
||||||
## Revocations
|
## Revocations
|
||||||
|
|
Loading…
Reference in a new issue