vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-10 11:49:40 +02:00
Code Issues Projects Releases Packages Wiki Activity

edit signatures on components intro, self-sig v 3rd party

Browse source
This commit is contained in:
Tammi L. Coles 2023-11-23 10:16:29 +01:00
parent 1331e9bb5a
commit 2340333f40
1 changed files with 19 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

38
book/source/08-signing_components.md
View file

@ -6,33 +6,33 @@ SPDX-License-Identifier: CC-BY-SA-4.0
(component_signatures_chapter)= (component_signatures_chapter)=
# Signatures on components # Signatures on components
In this chapter, we'll look at OpenPGP signatures that apply to components of certificates. That is, signatures that apply to: This chapter examines OpenPGP signatures associated with certificate components, applying to:
- Component keys (primary keys or subkeys) and - component keys, encompassing primary keys and subkeys
- Identity components (User IDs or User attributes). - identity components, namely user IDs and user attributes
Signatures on components are used to construct and maintain certificates, and to model the authentication of identities. Signatures on components are used to construct and maintain certificates, and to model the authentication of identities.
This chapter expands on topics we introduced in the {ref}`certificates_chapter` chapter. This chapter expands on topics introduced in the {ref}`certificates_chapter` chapter.
## Self-signatures vs third-party signatures ## Self-signatures vs third-party signatures
There are two fundamentally different flavors of signatures on components: Component signatures in OpenPGP are categorized into two distinct types:
- *Self-signatures*, which are issued by the certificate holder themselves using the primary key of the certificate, and - **self-signatures**, which are issued by the certificate holder using the certificate's primary key
- *third-party signatures*, which are issued by a third party. - **third-party signatures**, which are issued by an external entity, not the certificate holder
### Self-signatures ### Self-signatures
*Self-signatures* on components are a crucial mechanism for forming OpenPGP certificates (by binding the certificate's components into one combined data structure), as well as for life-cycle management of certificates (that is: performing changes to the certificate, over time). Self-signatures are fundamental in creating and managing OpenPGP certificates. They bind the various components of a certificate into one combined data structure and facilitate the certificate's life-cycle management.
Life-cycle management operations on OpenPGP certificates and their components include: Life-cycle management operations include:
- binding additional components to a certificate, - binding additional components to a certificate
- changing the expiration date, or other metadata, of a component, and - modifying expiration dates or other metadata of components
- invalidating components or existing self-signatures using revocations. - revoking, and thus invalidating, components or existing self-signatures
Self-signatures are issued by the certificate's owner, using the primary key of the same certificate. Self-signatures are issued by the certificate's owner using the certificate's primary key.
```{note} ```{note}
No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) is required to issue self-signatures. An OpenPGP primary key can issue self-signatures by default. No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) is required to issue self-signatures. An OpenPGP primary key can issue self-signatures by default.
@ -40,16 +40,16 @@ No [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-
### Third-party signatures ### Third-party signatures
Third-party signatures on components form the basis for OpenPGP's decentralized authentication functionality (also known as the *Web of Trust*). They encode authentication-related statements about certificates and their associated identities. Third-party signatures are pivotal in OpenPGP for decentralized authentication, forming the basis of the *Web of Trust*. They encode authentication-related statements about certificates and linked identities, establishing trustworthiness and verification.
Third-party OpenPGP signatures can be used to make the following types of statements: Third-party signatures are used to make specific statements:
- Certification of identity claims, - certifying identity claims
- Delegation of authentication decisions, - delegating authentication decisions
- Invalidating previous third-party signature statements using revocations. - revoking, and thus invalidating, prior third-party signature statements
```{note} ```{note}
The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the primary key of a certificate may hold this key flag. The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Only the certificate's primary holds this key flag.
``` ```
### Self-signatures and third-party signatures convey different meanings ### Self-signatures and third-party signatures convey different meanings