From fc665cb19738a4f0c03e95b0985d28f79e199e77 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Wed, 22 Nov 2023 17:34:53 +0100
Subject: [PATCH] ch4: clarification as suggested by wiktor

---
 book/source/04-certificates.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index f0b3e12..ef106aa 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -183,6 +183,8 @@ Instead, this kind of metadata is stored as part of the signature packets that j
 - For subkeys, metadata is defined with the [subkey binding signature](binding_subkeys) that links the subkey to the certificate.
 - For identity components like User IDs, metadata is associated via the [certifying self-signature](bind_ident) that links the identity to the certificate.
 
+Note that the components of an OpenPGP certificate are themselves never changed, after their initial creation. By storing associated metadata in signatures, it can be modified at a later point in time by issuing a new signature that replaces the previous one. For example, the certificate holder can change the expiration time of a component of their certificate by issuing a new signature.
+
 ### Defining operational capabilities of component keys with key flags
 
 Each component key has a set of ["key flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that delineate the operations a key can perform.