vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

edit to commit e496ee28e7

Browse source
This commit is contained in:
Tammi L. Coles 2023-12-04 12:57:44 +00:00
parent a20aaba4d3
commit 34954ef996
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
book/source/08-signing_components.md
View file

@ -153,9 +153,9 @@ Linking a User ID to an OpenPGP certificate
The signatures that bind subkeys and identity components to a certificate serve dual purposes: linking components to the certificate and adding metadata to components.
Adding metadata that applies to the entire certificate is also essential, but doesn't require the function of binding any component to the certificate. Instead, for this use case, the signature mechanism is used just to associate metadata globally with the certificate.
While it is essential to add metadata that pertains to the entire certificate, this does not require binding any component to the certificate. In this case, the signature mechanism is used just to associate metadata globally with the certificate.
Two types of signature can be used to perform this function, for more details see below:
Two signature types can perform this function:
- direct key signature on the primary key
- *primary User ID* binding signature
@ -174,11 +174,11 @@ A [*direct key signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-cr
#### Self-signature binding to primary User ID
In OpenPGP v4, another mechanism was often used for this purpose: Piggybacking the global certificate metadata into a User ID binding signature. Specifically, the binding signature of the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id) of the OpenPGP certificate.
In OpenPGP v4, another mechanism was often used for metadata management: integrating global certificate metadata within a User ID binding signature. This is specifically evident in the binding signature of the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id) of the OpenPGP certificate.
When using this mechanism, the primary User ID binding signature contains a mix metadata: some that applies just to that particular User ID, and some that applies to the certificate, globally.
This method results in the primary User ID binding signature containing a mix of metadata: some specific to that User ID and some applicable to the certificate globally.
Many existing OpenPGP certificates are using this mechanism, so OpenPGP applications need to be able to handle it.
Given the widespread adoption of this mechanism in existing OpenPGP certificates, it is crucial that OpenPGP applications recognize and manage it.
(self-revocations)=
### Revocation self-signatures: Invalidating certificate components