ch4: merging: process feedback from paul in #121

2025-09-09 11:19:41 +02:00 · 2023-11-22 18:45:30 +01:00 · 2023-11-22 18:45:30 +01:00 · 113077109b
commit 113077109b
parent 61ada929e7
1 changed files with 6 additions and 2 deletions
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@ -357,8 +357,12 @@ For example, Bob's OpenPGP system may have a local copy of Alice's certificate,

 Merging two versions of a certificate involves making decisions about which packets should be kept. The versions of the certificate will typically contain some packets that are identical. No duplicates of the exact same packet should be stored in the merged version of the certificate. Additionally, if the newly obtained copy contains packets that are in fact entirely unrelated to the certificate, those should not be retained (a third party may have included unrelated packets, either by mistake, or with malicious intent).

- How to merge two copies of the same certificate?
- Canonicalization
+#### Handling unauthenticated information
+
+For information that *is* related to the certificate, but not bound to it by a self-signature, there is no generally correct approach. The receiving implementation must revolve these cases, possibly in a context-specific manner. Such cases include:
+
+- Third-party certifications. These could be valuable information, where a third party attests that the association of an identity to a certificate is valid. On the other hand, they could also be a type of spam.
+- Subpackets in the unhashed area of a signature packet. Again, these could contain information that is useful to the recipient. However, the data could also be either useless, or even misleading/harmful.

 (cert-mini)=
 ### Certificate minimization