From 8fc4302338c5e1542b95678e9b319124152318a4 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 3 Nov 2023 10:35:36 +0100 Subject: [PATCH] resolve https://codeberg.org/openpgp/notes/pulls/81#issuecomment-1317436 --- book/source/04-certificates.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index b53e461..5cac7d8 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -114,7 +114,9 @@ Commonly used key flags include: - **Authentication**: primarily used for OpenPGP authentication ```{note} -Distinct component keys handle specific operations. The primary key is reserved solely for certification, while separate subkeys are used for signing, encryption, and authentication. Subkeys lack certification capability. Notably, in many algorithms, encryption capability is exclusive and cannot overlap with other operations[^key-flag-sharing]). +Distinct component keys handle specific operations. Only the primary key can be used for certification, although it can have additional capabilities. Subkeys can be used for signing, encryption, and authentication but cannot have the certification capability. It is considered good practice, however, to [use separate keys for each capability](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-10.1.5-7). + +Notably, in many algorithms, encryption and signing-related functionalities (i.e., certification, signing, authentication) are mutually exclusive, because the algorithms only support one of those two families of operations[^key-flag-sharing]). ``` [^key-flag-sharing]: With ECC algorithms, it's impossible to combine encryption functions with those intended for signing. For example, ed25519 is specifically used for signing; cv25519 is designated for encryption.