vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add a brief explanation of the metadata leak

Browse source
This commit is contained in:
Wiktor Kwapisiewicz 2023-11-24 12:46:03 +01:00 committed by Heiko Schaefer
parent a5f3ea98e8
commit 1684b35567
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
book/source/04-certificates.md
View file

@ -507,11 +507,11 @@ After the update, the updated copy of the certificate will usually have a fresh
### Metadata leak of Social Graph
```{admonition} TODO
:class: warning
Third-party certifications, which are signatures made by other certificates, over identity components, form a back-bone of OpenPGP trust-model called the Web of Trust. The name stems from the fact that the collection of certifications forms a unidirectional graph resembling a web. Each edge of graph connects the signing certificate to the identity component associated with another certificate.
write
```
OpenPGP software can inspect that graph, and coupled with trust data and a trust anchor (which usually is the certificate holder's own key), can infer whether the target certificate is genuine.
Third-party certifications are published as part of the target certificate to facilitate the process of certificate authentication. Unfortunately, as a side-effect of this approach it's feasible to reconstruct the entire social graph of all people issuing certifications. The certification's signature creation time can be used to deduct whether the ceritifate owner attended a Key Signing Party (and if it was public where was it) and whom they interacted with.
(unbound_user_ids)=
### Adding unbound User IDs to a certificate