vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-23 08:02:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

s/user ID/User ID/

Browse source
This commit is contained in:
Paul Schaub 2023-10-03 11:29:38 +02:00 committed by Heiko Schaefer
parent be5fff67ab
commit c5ba06dc78
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
book/source/06-certifications.md
View file

@ -45,9 +45,9 @@ A certification made by a key over components of the same certificate is referre
The **C**certify Others key flag is not required in order to issue self-certifications. The **C**certify Others key flag is not required in order to issue self-certifications.
It is only necessary to issue valid third-party certifications. It is only necessary to issue valid third-party certifications.
::: :::
A typical use-case for a self-certification is to attach a user ID, such as a name and email address to a certificate. A typical use-case for a self-certification is to attach a User ID, such as a name and email address to a certificate.
This is done by calculating the signature over the user ID and the public primary key. This is done by calculating the signature over the User ID and the public primary key.
The resulting user ID certification (typically type 0x13, potentially type 0x10-0x12) can then be inserted into the certificate, right after the user ID packet. The resulting User ID certification (typically type 0x13, potentially type 0x10-0x12) can then be inserted into the certificate, right after the User ID packet.
Other examples for self-signatures are binding signatures for subkeys. Other examples for self-signatures are binding signatures for subkeys.
In order to add an OpenPGP subkey to a certificate, a subkey binding signature is calculated over the public primary key, followed by the public subkey. In order to add an OpenPGP subkey to a certificate, a subkey binding signature is calculated over the public primary key, followed by the public subkey.
@ -55,15 +55,15 @@ The resulting subkey binding signature (type 0x18) can then be inserted into the
If the subkey itself is intended to be used as a **S**igning key, an extra step is required. If the subkey itself is intended to be used as a **S**igning key, an extra step is required.
To prevent an attacker from being able to "adopt" a victims signing subkey and then being able to claim to be the origin of signatures in fact made by victim, subkey binding signatures for signing subkeys need to include an embedded "back signature" (formally known as primary key binding signature) made by the signing key itself. To prevent an attacker from being able to "adopt" a victims signing subkey and then being able to claim to be the origin of signatures in fact made by victim, subkey binding signatures for signing subkeys need to include an embedded "back signature" (formally known as primary key binding signature) made by the signing key itself.
Certifications over user IDs can also be used to certify certificates of third-parties. Certifications over User IDs can also be used to certify certificates of third-parties.
If Alice is certain that `Bob Baker <bob@example.com>` controls the key 0xB0B, she can create a user ID certification signature for that identity and send it to Bob. If Alice is certain that `Bob Baker <bob@example.com>` controls the key `0xB0B`, she can create a User ID certification signature for that identity and send it to Bob.
Bob can then add this signature to his certificate. Bob can then add this signature to his certificate.
TODO: More WoT. TODO: More WoT.
Another important category of signatures are revocations. Another important category of signatures are revocations.
A revocation is used to retract the statement formed by a prior signature. A revocation is used to retract the statement formed by a prior signature.
A subkey revocation signature revokes a prior subkey binding signature, while a certification revocation revokes a certification signature. A subkey revocation signature revokes a prior subkey binding signature, while a certification revocation revokes a certification signature.
Typical use-cases for revocations are marking certificates or individual subkeys as unusable, or marking user IDs as no longer used. Typical use-cases for revocations are marking certificates or individual subkeys as unusable, or marking User IDs as no longer used.
## Signature Subpackets ## Signature Subpackets