vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-10 03:39:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

Other changes

Browse source
This commit is contained in:
Paul Schaub 2023-11-08 11:59:46 +01:00 committed by Heiko Schaefer
parent 6f220c9f39
commit 3276ab79d7
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
book/source/09-verification.md
View file

@ -10,9 +10,23 @@ SPDX-License-Identifier: CC-BY-SA-4.0
## When are signatures valid?
There is a difference between signature *correctness* and *validity*.
A signature might be correct, but still disqualify as a valid signature.
The validity of a signature is constrained by a number of conditions.
First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
First and foremost, a signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact.
### Temporal validity
A signature is valid only for a constrained period of time.
A hard, lower constraint for the validity period is the creation time of the signature.
An upper constraint might be its expiration time.
When checking a signature for validity, a reference time is defined.
For an email that might be the signature creation time itself, or the reception date.
For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration.
Futhermore, signatures on a certificate form a chain, or rather a tree of signatures, originating from the certificates primary key down to signatures issued by the certificate.
In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.