From ae776d2b138509685ae3204cba8cf1754cbe7273 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 7 Oct 2023 18:27:48 +0200 Subject: [PATCH] Signature Types --- book/source/06-certifications.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/book/source/06-certifications.md b/book/source/06-certifications.md index fc0db13..327a521 100644 --- a/book/source/06-certifications.md +++ b/book/source/06-certifications.md @@ -115,6 +115,18 @@ Typical use-cases for revocations are marking certificates or individual subkeys A revocation signature can either be hard or soft. A soft revocation of a certificate invalidates it from the revocation signature's creation time onwards, meaning signatures that were issued before the revocation remain intact, while a hard revocation invalidates the certificate retroactively, rendering all issued signatures invalid, regardless of creation time. Soft revocations are typically used whenever a key or User ID is retired or superseded gracefully, while hard revocations can for example signal compromise of secret key material. +## Signature Types +There is a number of different Signature Types in the form of numerical IDs. +These give guidance on what the intent of a signature is and how it needs to be interpreted, however, the meaning of a signature also depends on who issued it. +A self-signature has a different meaning from a signature issued by a third party. + +A `DirectKeySignature` issued as a self-signature can be used to set preferences and advertise features that apply to the whole certificate. +A third-party `DirectKeySignature` carrying a `TrustSignature` subpacket on the other hand can be interpreted as a statement by the issuer that it delegates trust to the signed certificate (WoT). + +Self-certifications of types `0x10` - `0x13` can be used to bind a User ID to a certificate, while the same types issued by a third-party are statements by the issuer that they have checked the authenticity of the signed User ID to some degree. + +There are further signature types for signatures on data, as well as designated types to bind and revoke subkeys. + ## Signature Subpackets A cryptographic signature alone is often not expressive enough to serve certain use-cases.