vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-10 19:59:40 +02:00
Code Issues Projects Releases Packages Wiki Activity

edit ch8 binding identities

Browse source
This commit is contained in:
Tammi L. Coles 2023-11-23 14:02:13 +01:00
parent 7d1d69d372
commit 28a69fe381
1 changed files with 4 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
book/source/08-signing_components.md
View file

@ -126,23 +126,19 @@ The back signature signifies the mutuality of the subkey's association with the
(bind_ident)= (bind_ident)=
### Binding identities to a certificate ### Binding identities to a certificate
Another use-case for a self-signature is to link an identity component (such as a User ID that specifies a name and email address) to a certificate. Self-signatures also play a vital role in binding identity components, such as User IDs or User Attributes, to an OpenPGP certificate.
User ID components are bound to an OpenPGP certificate by issuing a certifying self-signature. "User Attributes" work analogously. Take for instance, the User ID `Alice Adams <alice@example.org>`. To link this User ID to her OpenPGP certificate (e.g., `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`), Alice would use a cryptographic signature.
For example, the User ID `Alice Adams <alice@example.org>` may be associated with Alice's certificate `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`. There are four types of *certifying self-signature*. The most commonly used type for binding User IDs is the [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`). Alternatively, types `0x10`, `0x11` or `0x12` might be used. This binding signature must be issued by the primary key.
Alice can link a User ID to her OpenPGP certificate with a cryptographic signature. To link a User ID, a *certifying self-signature* is created. There are four variant certifying self-signature types. Usually the signature type [positive certification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type ID `0x13`) is used to bind User IDs to one's certificate (sometimes, type ID `0x10`, `0x11` or `0x12` may be used instead). This binding signature must be issued by the primary key. The certifying self-signature packet calculated over the primary key, User ID, and metadata of the signature packet is then appended to the certificate, directly following the User ID packet.
The resulting certifying self-signature packet is stored as part of the certificate, directly following the User ID packet.
```{figure} diag/user_id_certification.png ```{figure} diag/user_id_certification.png
Linking a User ID to an OpenPGP certificate Linking a User ID to an OpenPGP certificate
``` ```
This signature is calculated over the primary key, User ID and the metadata of the signature packet.
(primary-metadata)= (primary-metadata)=
### Adding metadata to the primary key/certificate ### Adding metadata to the primary key/certificate