diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 8d2ae8c..e80769b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -93,7 +93,7 @@ In the RFC, the OpenPGP primary key is also sometimes referred to as "top-level In addition to the primary key, modern OpenPGP certificates usually contain a number of "subkeys" (however, it's not technically necessary for a certificate to contain subkeys). -Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this below). +Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this in {numref}`binding_subkeys`). ```{figure} diag/Subkeys.png :name: Certificate with Subkeys @@ -140,8 +140,14 @@ OpenPGP certificates can contain any number of User IDs One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). -User IDs are associated with preference settings (such as preferred encryption algorithms, more on this below). The preferences associated with the Primary User ID are used by default. +User IDs are associated with preference settings (such as preferred encryption algorithms, more on this in {numref}`zooming_in_user_id`). The preferences associated with the Primary User ID are used by default. +```{admonition} TODO +:class: warning + +i think crypto-refresh suggests that the direct key signature should hold the default preferences? +we might need to write a more nuanced text here, about how DKS and primary user id interact in v6, and mention the differences to v4? +``` #### User attributes @@ -172,6 +178,7 @@ Note, though, that there are some cases where third parties legitimately add "un [^flooding]: Storing third-party identity certifications in the target OpenPGP certificate is convenient for consumers: it is easy to find all relevant certifications in one central location. However, when third parties can unilaterally add certifications, this opens an avenue for denial-of-service attacks by flooding. The SKS network of OpenPGP key servers [allowed and experienced this problem](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html). +(binding_subkeys)= #### Binding subkeys to an OpenPGP certificate Linking a subkey to an OpenPGP certificate is done with a ["Subkey Binding Signature"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-subkey-binding). Such a signature signals that the "primary key wants to be associated with the subkey". @@ -852,6 +859,7 @@ Signature Packet, new CTB, 3 header bytes + 325 bytes 00000140 a6 73 c8 33 5a 9c d9 0a ``` +(zooming_in_user_id)= ### User ID User IDs are a mechanism for attaching *identities* to an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address.