mirror of
https://codeberg.org/openpgp/notes.git
synced 2025-02-27 13:59:23 +01:00
24 lines
1.4 KiB
Markdown
24 lines
1.4 KiB
Markdown
(verification_chapter)=
|
|
# Verification
|
|
|
|
- Self-authenticating data (unhashed subpackets)
|
|
|
|
## When are signatures valid?
|
|
|
|
The validity of a signature is constrained by a number of conditions.
|
|
First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
|
|
Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
|
|
In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
|
|
|
|
For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
|
|
|
|
The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
|
|
Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
|
|
|
|
```{include} mermaid/09-sigtree.md
|
|
```
|
|
|
|
|
|
- Validity as a tree of signatures
|
|
|
|
## Which signatures take precedence?
|