# Signatures on components This chapter examines {term}`OpenPGP signatures` associated with {term}`certificate components`, applying to: - {term}`component keys`, encompassing {term}`primary keys` and {term}`subkeys` - {term}`identity components`, namely {term}`User IDs` and {term}`User attributes` {term}`Signatures on components` are used to construct and maintain {term}`certificates`, and to model the {term}`authentication` of {term}`identities`. This chapter expands on topics introduced in the [](certificates) chapter. ## Self-signatures vs third-party signatures {term}`Component signatures` in OpenPGP are categorized into two distinct types: - **{term}`self-signatures`**, which are issued by the {term}`certificate holder` using the {term}`certificate`'s {term}`primary key` - **{term}`third-party signatures`**, which are issued by an external entity, not the {term}`certificate holder` (self-signatures)= ### Self-signatures {term}`Self-signatures` are fundamental in creating and managing {term}`OpenPGP certificates`. They bind the various {term}`components` of a {term}`certificate` into one combined data structure and facilitate the {term}`certificate`'s {term}`life-cycle management`. {term}`Life-cycle management` operations include: - {term}`binding` additional {term}`components` to a {term}`certificate` - modifying {term}`expiration time` or other {term}`metadata` of {term}`components` - revoking, and thus invalidating, {term}`components` or existing {term}`self-signatures` {term}`Self-signatures` are issued by the {term}`certificate's owner` using the {term}`certificate`'s {term}`primary key`. ```{note} No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) is required to issue {term}`self-signatures`. An {term}`OpenPGP primary key` can issue {term}`self-signatures` by default. ``` ### Third-party signatures {term}`Third-party signatures` are pivotal in OpenPGP for decentralized {term}`authentication`, forming the basis of the {term}`Web of Trust`. They encode {term}`authentication`-related statements about {term}`certificates` and linked {term}`identities`, establishing trustworthiness of {term}`identity claims`. Third-party signatures are used to make specific statements: - {term}`certifying` {term}`identity claims` - {term}`delegating` {term}`authentication` decisions - {term}`revoking`, and thus {term}`invalidating`, prior {term}`third-party signature` statements ```{note} The **{term}`certify others`** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue {term}`third-party signatures`. By convention[^primary-certification], only the {term}`certificate`'s {term}`primary key` can hold this {term}`key flag`. ``` [^primary-certification]: Most current {term}`implementations` assume that only the {term}`primary key` may hold the *{term}`certify others`* {term}`key flag`, although this is not specified in the {term}`RFC`. ### Distinct functions of self-signatures and third-party signatures The meaning of an {term}`OpenPGP signature` depends significantly on its {term}`issuer`. {term}`Self-signatures` and {term}`third-party signatures`, even when of the same [signature type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-signature-types), serve distinct functions. For example: - {term}`Certifying self-signatures` ({term}`type IDs` `0x10` - `0x13`) bind a {term}`User ID` to a {term}`certificate`. - {term}`Third-party signatures` of the same {term}`type IDs` endorse the {term}`authenticity` of a {term}`User ID` on another user's {term}`certificate`. In another instance: - *When issued as a {term}`self-signature`*, a [direct key signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) sets {term}`preferences` and advertises {term}`features` applicable to the entire {term}`certificate`. - *When issued by a {term}`third party`*, especially when it carries a [trust signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-trust-signature) {term}`subpacket`, a similar {term}`direct key signature` {term}`delegates` trust to the signed {term}`certificate`. This may designate the signed {term}`certificate` as a {term}`trust anchor` within the {term}`issuer`'s {term}`Web of Trust`. (binding-signatures)= ## Self-signatures in certificate formation and management {term}`Self-signatures` play a crucial role in forming and managing the structure of {term}`OpenPGP certificates`. These act as *{term}`binding signatures`*, joining {term}`components` and embedding {term}`metadata`. Internally, an {term}`OpenPGP certificate` is essentially a series of {term}`packets` strung sequentially. When a {term}`certificate` is stored in a file format known as a [transferable public key](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-transferable-public-keys), {term}`packets` can be easily added or removed. To safeguard against unauthorized additions or alterations of {term}`components`, OpenPGP uses {term}`cryptographic signatures`. These validate that all {term}`components`, such as {term}`subkeys` or [identity components](identity-components), were linked to the {term}`OpenPGP certificate` by its {term}`owner`, using the {term}`primary key`. While anyone can still store unrelated elements to a {term}`certificate` dataset, {term}`OpenPGP implementations` will reject them if they lack a {term}`valid` cryptographic connection with the {term}`certificate`. ```{note} Conversely, omissions of {term}`packets` by third parties can easily occur when handling an {term}`OpenPGP certificate` dataset. This could pose a challenge, for example, when an attacker deliberately omits {term}`revocation` {term}`packets`. Without access to an alternative, complete {term}`certificate` source, recipients might not detect these omissions. ``` However, there are legitimate instances in which third parties add "unbound" {term}`packets` (i.e., not signed by the {term}`certificate`'s {term}`owner`) to a {term}`certificate`: - [Third-party certifications](third-party-certifications) are often stored within the {term}`packet` data of the {term}`certificate` to which they are related. This is a standard practice that provides convenience for users by allowing easy access to all relevant {term}`certifications`. (See [](keyserver-flooding) for discussion of a related pitfall.) - {term}`OpenPGP software` may locally add [unbound identity data](unbound-user-ids) to a {term}`certificate`. (bind-subkey)= ### Binding subkeys to a certificate {term}`Subkeys` are linked to {term}`OpenPGP certificates` via a [subkey binding signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#sigtype-subkey-binding) ({term}`type ID` `0x18`). This {term}`signature type` indicates the association of the {term}`primary key` with the {term}`subkey`. A {term}`subkey binding signature` binds a {term}`subkey` to a {term}`primary key`, and it embeds {term}`metadata` into the {term}`signature packet`. Once generated, the {term}`subkey binding signature` {term}`packet` is stored in the {term}`certificate` directly after the {term}`subkey` it binds. {term}`Subkeys` designated for signing purposes, identified by the *{term}`signing`* [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags), represent a unique category and are handled differently. See {numref}`bind-signing-subkey`. ```{figure} plain_svg/subkey_binding_signature.svg :name: fig-subkey-binding-signature :alt: Depicts a diagram on white background with the title "Subkey binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with encryption capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". The primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key". Linking an {term}`OpenPGP subkey` to the {term}`primary key` with a {term}`binding signature` ``` {term}`Metadata` for the {term}`subkey`, such as the [*key expiration time*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#key-expiration-subpacket) and {term}`capabilities` set by [*key flags*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#key-flags), are included in {term}`subpackets` within the {term}`subkey binding signature` {term}`packet`. ```{note} The {term}`validity` of a {term}`subkey` is intrinsically linked to that of the {term}`primary key`. An {term}`expired` {term}`primary key` renders any associated {term}`subkey` {term}`invalid`, regardless of the {term}`subkey`'s own {term}`expiration` setting. Legally, a {term}`subkey` may not have a specified {term}`expiration time`. In such cases, its {term}`expiration` aligns implicitly with that of the {term}`primary key`. Additionally, the {term}`creation time` of a {term}`subkey` must always be more recent than that of the {term}`primary key`. ``` (bind-signing-subkey)= ### Special case: Binding signing subkeys {term}`Binding` {term}`subkeys` that possess the *{term}`signing`* {term}`key flag` to a {term}`certificate` represents a unique scenario. While similar to the {term}`binding process` of other {term}`subkeys`, there is an additional, critical requirement: mutual association. That is, to bind a {term}`signing-capable` {term}`subkey` to a {term}`primary key`, it is insufficient that the "{term}`primary key` wants to be associated with the {term}`subkey`." The {term}`subkey` must explicitly signal that it "wants to be associated with the {term}`primary key`." This mutual binding is crucial for security. Without it, an individual (e.g., Alice) could falsely claim a connection to another person's (e.g., Bob's) {term}`signing subkey`. Alice could thus claim to have issued {term}`signatures` which were actually issued by Bob. To prevent such scenarios, where an attacker might wrongfully "adopt" a victim's {term}`signing subkey`, a dual-layer of {term}`signatures` is used: - the [subkey binding signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#sigtype-subkey-binding) ({term}`type ID` `0x18`), which is issued by the {term}`certificate`'s {term}`primary key` - the [primary key binding signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#sigtype-primary-binding) ({term}`type ID` `0x19`), created by the {term}`subkey` itself. This is informally known as an embedded "{term}`back signature`," because the {term}`subkey`'s {term}`signature` points back to the {term}`primary key`. ```{figure} plain_svg/subkey_binding_signatur_for_signing_sk.svg :name: fig-subkey-binding-signature-for-signing-subkeys :alt: Depicts a diagram on white background with the title "Subkey binding signature for signing subkeys". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with signing capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". Within the signature metadata a box with a green dotted frame extends the list with an inlined signature packet with the title "Embedded Signature; Primary key binding". Its inner text reads "Signature over Primary Key, Signing Subkey". The signature metadata area of this embedded signature holds the list "signature creation time" and "issuer fingerprint". The cryptographic signature symbol overlaps both metadata and general section of the embedded signature. From the signing component key a green dotted arrow line points to the embedded signature in the subkey binding signature with the text "Signing key creates a primary binding signature to associate itself with the primary key" ("primary binding signature" in bold). At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key". Linking an {term}`OpenPGP signing subkey` to the {term}`primary key` with a {term}`binding signature`, and an embedded {term}`primary key binding signature` ``` The {term}`back signature` signifies the mutuality of the {term}`subkey`'s association with the {term}`primary key` and is embedded as {term}`subpacket` data within the {term}`subkey binding signature`, reinforcing the {term}`authenticity` of the {term}`binding`. (bind-identity)= ### Binding identities to a certificate {term}`Self-signatures` also play a vital role in {term}`binding` {term}`identity components`, such as {term}`User IDs` or {term}`User Attributes`, to an {term}`OpenPGP certificate`. To bind the {term}`User ID` `Alice Adams ` to her {term}`OpenPGP certificate` (`AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`), Alice would use a {term}`certification signature`. There are four types of *{term}`certifying self-signature`*. The most commonly used {term}`type` for {term}`binding` {term}`User IDs` is the [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#sigtype-positive-cert) ({term}`type ID` `0x13`). Alternatively, {term}`type` `0x10`, `0x11`, or `0x12` might be used. This {term}`binding signature` must be issued by the {term}`primary key`. The {term}`certifying self-signature` {term}`packet` – calculated over the {term}`primary key`, {term}`User ID`, and {term}`metadata` of the {term}`signature packet` – is added to the {term}`certificate`, directly following the {term}`User ID` {term}`packet`. ```{figure} plain_svg/user_id_certification.svg :name: fig-user-id-certification :alt: Depicts a diagram on white background with the title "User ID binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a User ID reads "Alice Adams ". The primary component key points at the User ID with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "User ID binding signature". The text reads "Signature over Primary key, User ID" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "primary User ID flag", "algorithm preferences", "key expiration time (primary key)" and "key flags (primary key)". At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a User ID binding signature to associate the User ID with the primary key". Linking a {term}`User ID` to an {term}`OpenPGP certificate` ``` (primary-metadata)= ### Adding global metadata to a certificate The {term}`signatures` that {term}`bind` {term}`subkeys` and {term}`identity components` to a {term}`certificate` serve dual purposes: linking {term}`components` to the {term}`certificate` and adding {term}`metadata` to {term}`components`. While it is essential to add {term}`metadata` that pertains to the entire {term}`certificate`, this does not require {term}`binding` any {term}`component` to the {term}`certificate`. In this case, the {term}`signature` mechanism is used just to associate {term}`metadata` with the {term}`certificate` globally. Two {term}`signature types` can perform this function: - {term}`direct key signature` on the {term}`primary key` - {term}`primary User ID binding signature` The types of {term}`metadata` typically associated with the {term}`certificate` through these methods include: - {term}`key` {term}`expiration` - {term}`key flags` ({term}`capabilities`) - {term}`features` - {term}`algorithm preferences` signaling (direct-key-signature)= #### Direct key signature A [*direct key signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) serves as the [preferred mechanism](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-9) in OpenPGP v6 for defining {term}`metadata` for the entire {term}`certificate`, by associating it with the {term}`primary key`. (primary-user-id-binding)= #### Self-signature binding to primary User ID In OpenPGP v4, another mechanism was often used for {term}`metadata` management: integrating global {term}`certificate` {term}`metadata` within a {term}`User ID binding signature`. This is specifically evident in the {term}`binding signature` of the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id) of the {term}`OpenPGP certificate`. This method results in the {term}`primary User ID binding signature` containing a mix of {term}`metadata`: some specific to that {term}`User ID` and some applicable to the {term}`certificate` globally. Given the widespread adoption of this mechanism in existing {term}`OpenPGP certificates`, it is crucial that {term}`OpenPGP applications` recognize and manage it. (self-revocations)= ### Revocation self-signatures: Invalidating certificate components {term}`Revocation self-signatures` represent an important class of {term}`self-signatures`, used primarily to invalidate {term}`components` or retract prior {term}`signature` statements. There are several types of {term}`revocation signatures`, each serving a specific purpose: - A [**key revocation signature**](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-revocation-signature-ty) ({term}`type ID` `0x20`) marks a {term}`primary key` as {term}`revoked`. - A [**subkey revocation signature**](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-subkey-revocation-signature) ({term}`type ID` `0x28`) {term}`invalidates` the {term}`binding of a subkey`. - A [**certification revocation**](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-certification-revocation-si) ({term}`type ID` `0x30`) {term}`invalidates` the {term}`binding` of a {term}`User ID` or {term}`User Attribute`. Common scenarios for using {term}`revocations` include marking {term}`certificates` or individual {term}`subkeys` as unusable (e.g., when the {term}`private key` has been compromised or replaced) or declaring {term}`User IDs` as no longer {term}`valid`. ```{note} {term}`OpenPGP certificates` act as append-only data structures in practice. Once elements of a {term}`certificate` are published, they cannot be removed from {term}`key servers` or third-party OpenPGP systems. {term}`Implementations` usually merge all available {term}`components` and {term}`signatures`. {term}`Revocations` are used to mark {term}`components` or {term}`signatures` as {term}`invalid`. ``` Note: {term}`certification signatures` [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-revocable). (hard-vs-soft-revocations)= #### Hard vs soft revocations {term}`Revocation signatures` often include a [*Reason for Revocation* subpacket](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-reason-for-revocation), with a code specifying *why* the {term}`revocation` was issued. This code determines whether the {term}`revocation` is considered *soft* or *hard*. - **{term}`Soft revocation`**: This is typically used for graceful or planned {term}`invalidation` of {term}`components`, such as retiring or updating {term}`components`. It {term}`invalidates` the {term}`component` from the {term}`revocation signature`'s {term}`creation time`, but earlier uses remain {term}`valid`. Soft revocations can be reversed with a new {term}`self-signature`. - **{term}`Hard revocation`**: This irrevocably invalidates the {term}`component`, affecting all past and future uses. It is typically used to signal compromise of {term}`secret key material`. ```{note} A {term}`revocation signature packet` lacking a {term}`Reason for Revocation subpacket` is interpreted as a {term}`hard revocation`. ``` (third-party-certifications)= ## Authentication and delegation in third-party signatures {term}`Third-party signatures` in OpenPGP primarily encode {term}`authentication` statements for {term}`identities` and {term}`delegate` trust decisions. These {term}`signatures` can be manually inspected or processed as machine-readable artifacts by {term}`OpenPGP software`, which evaluates the {term}`authenticity` of {term}`certificates` based on user-specified {term}`trust anchors`. ### Certifying identity components When a {term}`signer` issues a {term}`certifying signature` on an {term}`identity`, it indicates a verified link between the {term}`identity` and the {term}`certificate`. That is, the {term}`signer` vouches for the {term}`identity claim`. For example, Alice can vouch that Bob's {term}`User ID` `Bob Baker ` is legitimately linked with his {term}`certificate` `BB28 9FB7 A68D BFA8 C384 CCCD E205 8E02 D9C6 CD2F 3C7C 56AE 7FB5 3D97 1170 BA83`, by creating a {term}`certification signature`. Bob can then distribute Alice's `certifying signature` as part of his {term}`certificate`. Other users may or may not decide to rely on Alice's statement to determine the {term}`authenticity` of Bob's {term}`certificate`. (delegation)= ### Trust signatures: delegating authentication OpenPGP uses [*trust signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#trust-signature-subpacket) {term}`subpackets` to {term}`delegate` {term}`authentication` decisions, designating the recipient {term}`certificate` as a "{term}`trusted introducer`" (or a {term}`trust anchor`) for the user. This includes specifying {term}`trust depth` (or level) for transitive {term}`delegations` and quantifying trust with numerical values, indicating the extent of reliance on the {term}`introducer`'s {term}`certifications`. {term}`Trust signature` {term}`subpackets` are applicable in {term}`third-party signatures`, more specifically: - {term}`identity certification signatures` ({term}`type ID` `0x10` - `0x13`) - [direct key signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-direct-key-signature-type-i) ({term}`type ID` `0x1F`) (trust-level)= #### Trust depth/level The "{term}`trust depth`" (or {term}`level`) in OpenPGP signifies the extent of transitive {term}`delegation` within the {term}`authentication` process. It determines how far a {term}`delegation` can be extended from the original {term}`trusted introducer` to subsequent intermediaries. Essentially, a {term}`certificate` with a {term}`trust depth` of more than one acts as a "{term}`meta-introducer`," facilitating {term}`authentication` decisions across multiple levels in the network. A {term}`trust depth` of 1 means relying on {term}`certifications` made directly by the {term}`trusted introducer`. The user's OpenPGP software will accept {term}`certifications` made directly by the {term}`introducer` for {term}`authenticating` identities. However, when the {term}`trust depth` is set higher, it implies a chain of {term}`delegation` may extend beyond the {term}`initial introducer`. The user's software will recognize and accept {term}`certifications` made not only by the {term}`primary introducer` but also by other intermediaries whom the {term}`primary introducer` designated as {term}`trusted introducers`. This allows for a more extensive network of trusted {term}`certifications`, enabling a broader and more interconnected {term}`Web of Trust`. (trust-amount)= #### Trust amounts The "{term}`trust amount`," with a numerical value ranging from `0` to `255`, quantifies the degree of reliance on a {term}`delegation`. A higher value indicates greater degree of reliance. This quantification aids {term}`OpenPGP software` in determining an aggregate amount of reliance, based on combined {term}`certifications` from multiple {term}`trusted introducers`. (trust-scope)= #### Limiting delegation scope When using *{term}`trust signature`* {term}`subpackets`, a {term}`delegation` can be limited to {term}`identities` that match a [*regular expression*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#regex-subpacket). With this mechanism, for example, it is possible to {term}`delegate` {term}`authentication` decisions only for {term}`User IDs` that match the email domain of an organization. (wot)= ### Web of Trust: Decentralized trust decisions The {term}`Web of Trust` in OpenPGP is a {term}`trust model` that facilitates {term}`authentication` decisions through a network of {term}`certifications` and {term}`delegations`. It is characterized by a so-called [strong set](https://en.wikipedia.org/wiki/Web_of_trust#Strong_set), which refers to a group of {term}`certificates` that are robustly interconnected via {term}`third-party certifications`. In this model, users independently {term}`delegate` {term}`authentication` decisions, choosing whose {term}`certification` to rely on. This {term}`delegation` is based on the {term}`certificates` and {term}`third-party signatures` available to them, with their {term}`OpenPGP software` applying the {term}`Web of Trust` mechanism to discern the reliability of each {term}`certificate` for an {term}`identity`. The {term}`OpenPGP RFC` doesn't specify exactly how {term}`Web of Trust` calculations are performed. It only defines the data formats on which these calculations can be performed. ### Revoking third-party signatures To reverse a previously issued {term}`third-party signature`, the {term}`issuer` can generate a [*certification revocation signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-certification-revocation-si) ({term}`type ID` `0x30`). The {term}`revocation` must be issued by the same {term}`key` that created the original {term}`signature` or, in deprecated practice, by a designated [Revocation Key](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-revocation-key).