mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-26 17:42:06 +01:00
ch4: fold outline notes into section structure
This commit is contained in:
parent
46c465ed06
commit
8aa34dfa59
1 changed files with 26 additions and 37 deletions
|
@ -1,36 +1,6 @@
|
|||
(certificates_chapter)=
|
||||
# Certificates / Keys
|
||||
|
||||
```
|
||||
## What is in a certificate (Structure)
|
||||
|
||||
### Subkeys
|
||||
|
||||
### User IDs / attributes
|
||||
- Primary UserID and its implications
|
||||
|
||||
### Third party signatures
|
||||
- Metadata Leak of Social Graph
|
||||
- How to generate "minimized" certificate?
|
||||
|
||||
### Bindings
|
||||
|
||||
### Signature Subpackets
|
||||
|
||||
- (key-) expiration
|
||||
- flags
|
||||
|
||||
## Certificate Management
|
||||
|
||||
### Merging
|
||||
- How to merge two copies of the same certificate?
|
||||
- Canonicalization
|
||||
|
||||
### Best Practices regarding Key Freshness
|
||||
- Expiry
|
||||
- Subkey rotation
|
||||
```
|
||||
|
||||
One central (and non-trivial) element of OpenPGP are certificates/keys.
|
||||
OpenPGP keys are relatively complex data structures, so it's good to have
|
||||
a clear mental model of them.
|
||||
|
@ -41,7 +11,7 @@ In the OpenPGP space, the term "key" has historically been used for three
|
|||
distinct concepts, at three layers, all related to each other:
|
||||
|
||||
- (Bare) "cryptographic keys" (without additional metadata).
|
||||
Those might be the secret and/or public parameters that form a key, e.g. in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
|
||||
Those might be the secret and/or public parameters that form a key, e.g., in case of an RSA secret key the exponent `d` along with the prime numbers `p` and `q`.
|
||||
- OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys".
|
||||
Those are building blocks of OpenPGP certificates,
|
||||
they consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time).
|
||||
|
@ -52,6 +22,7 @@ Those might be the secret and/or public parameters that form a key, e.g. in case
|
|||
|
||||
In the following section we'll look more closely at these three layers.
|
||||
|
||||
|
||||
## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata
|
||||
|
||||
A complete "OpenPGP certificate" or "OpenPGP key" is composed of an
|
||||
|
@ -74,7 +45,7 @@ consists mainly of a cryptographic keypair:
|
|||
![Image](diag/cryptographic_keys.png "A cryptographic keypair")
|
||||
|
||||
A cryptographic keypair consists of a private and a public part.
|
||||
In this document we'll show the public part of a cryptographic key in green,
|
||||
In this document, we'll show the public part of a cryptographic key in green,
|
||||
and the private part in red.
|
||||
|
||||
We'll visualize cryptographic keypairs in a more compact form:
|
||||
|
@ -103,7 +74,7 @@ The fingerprint of the primary key has a central role.
|
|||
It is used as the unique identifier for the full OpenPGP certificate.
|
||||
|
||||
|
||||
## Components of an OpenPGP key/certificate
|
||||
## What is in a certificate (Structure) / Components of an OpenPGP key/certificate
|
||||
|
||||
In addition to the primary key, OpenPGP keys/certificates can contain a
|
||||
number of other components:
|
||||
|
@ -141,7 +112,6 @@ type of operation (specifically: to allow only *Certification* operations
|
|||
for the primary key, and to have separate *Signing*, *Encryption* and
|
||||
*Authentication* subkeys).
|
||||
|
||||
|
||||
### User IDs
|
||||
|
||||
An OpenPGP certificate can contain any number of User IDs.
|
||||
|
@ -151,12 +121,14 @@ Typically, these identities are composed of a name and an email address.
|
|||
|
||||
![Image](diag/user_id.png "OpenPGP certificates can contain any number of User IDs")
|
||||
|
||||
#### Primary UserID and its implications
|
||||
|
||||
### User attributes
|
||||
|
||||
User attributes are similar to User IDs, but less commonly used.
|
||||
|
||||
|
||||
## Linking the components of an OpenPGP certificate together
|
||||
## Linking the components of an OpenPGP certificate together / Bindings
|
||||
|
||||
Technically, an OpenPGP certificate consists of a sequence of OpenPGP packets.
|
||||
These packets are just stringed together, one after the other.
|
||||
|
@ -187,6 +159,11 @@ The subkey binding signature also adds metadata.
|
|||
|
||||
![Image](diag/subkey_binding.png "Linking an OpenPGP subkey to the primary key with a binding signature")
|
||||
|
||||
#### Signature Subpackets
|
||||
|
||||
- (key-) expiration
|
||||
- flags
|
||||
|
||||
#### Binding signing subkeys
|
||||
|
||||
When binding a signing subkey to a primary key, it is not sufficient that the "primary
|
||||
|
@ -201,7 +178,7 @@ a "back signature" (because the subkey uses the signature to point "back"
|
|||
to the primary key).
|
||||
|
||||
|
||||
### Certifying identity claims
|
||||
### Certifying identity claims / Third party signatures
|
||||
|
||||
OpenPGP certificate often contain identity markers. Typically in the form
|
||||
of "User ID"s (however, User Attributes are analogous for the purpose of
|
||||
|
@ -216,11 +193,23 @@ is created. The signature is issued using the primary (secret) key.
|
|||
|
||||
![Image](diag/user_id_certification.png "Linking a User ID to an OpenPGP certificate")
|
||||
|
||||
#### Metadata Leak of Social Graph
|
||||
|
||||
## Evolution of a certificate over time
|
||||
#### How to generate "minimized" certificate?
|
||||
|
||||
|
||||
## Certificate Management / Evolution of a certificate over time
|
||||
|
||||
Minimized versions, merging, effective "append only" semantics, ...
|
||||
|
||||
### Merging
|
||||
- How to merge two copies of the same certificate?
|
||||
- Canonicalization
|
||||
|
||||
### Best Practices regarding Key Freshness
|
||||
- Expiry
|
||||
- Subkey rotation
|
||||
-
|
||||
## Third party (identity) certifications
|
||||
|
||||
## Revocations
|
||||
|
|
Loading…
Reference in a new issue