vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-10 19:59:40 +02:00
Code Issues Projects Releases Packages Wiki Activity

Start content of verification chapter

Browse source
This commit is contained in:
Paul Schaub 2023-10-09 14:39:38 +02:00
parent a7a7342501
commit 2dd5eb42d3
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
2 changed files with 37 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
book/source/09-verification.md
View file

@ -5,6 +5,20 @@
## When are signatures valid?
The validity of a signature is constrained by a number of conditions.
First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
```{include} mermaid/09-sigtree.md
```
- Validity as a tree of signatures
## Which signatures take precedence?