Merge branch 'draft' into tammi-ch8-heiko

# Conflicts:
#	book/source/08-signing_components.md

book/source/08-signing_components.md

@@ -91,6 +91,8 @@ A subkey binding signature binds a subkey to a primary key, and it embeds metada
 Subkeys designated for signing purposes, identified by the *signing* [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags), represent a unique category and are handled differently. See {numref}`bind_subkey_sign`.
 
 ```{figure} diag/subkey_binding_signature.png
+:name: fig-subkey-binding-signature
+:alt: Depicts a diagram on white background with the title "Subkey binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with encryption capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". The primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key".
 
 Linking an OpenPGP subkey to the primary key with a binding signature
 ```
@@ -116,6 +118,8 @@ This mutual binding is crucial for security. Without it, an individual (e.g., Al
 - the [primary key binding signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#sigtype-primary-binding) (type ID `0x19`), created by the subkey itself. This is informally known as an embedded "back signature," because the subkey's signature points back to the primary key.
 
 ```{figure} diag/subkey_binding_signatur_for_signing_sk.png
+:name: fig-subkey-binding-signature-for-signing-subkeys
+:alt: Depicts a diagram on white background with the title "Subkey binding signature for signing subkeys". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with signing capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". Within the signature metadata a box with a green dotted frame extends the list with an inlined signature packet with the title "Embedded Signature; Primary key binding". Its inner text reads "Signature over Primary Key, Signing Subkey". The signature metadata area of this embedded signature holds the list "signature creation time" and "issuer fingerprint". The cryptographic signature symbol overlaps both metadata and general section of the embedded signature. From the signing component key a green dotted arrow line points to the embedded signature in the subkey binding signature with the text "Signing key creates a primary binding signature to associate itself with the primary key" ("primary binding signature" in bold). At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key".
 
 Linking an OpenPGP signing subkey to the primary key with a binding signature, and an embedded primary key binding signature
 ```
@@ -134,6 +138,8 @@ There are four types of *certifying self-signature*. The most commonly used type
 The certifying self-signature packet – calculated over the primary key, User ID, and metadata of the signature packet –  is then added to the certificate, directly following the User ID packet.
 
 ```{figure} diag/user_id_certification.png
+:name: fig-user-id-certification
+:alt: Depicts a diagram on white background with the title "User ID binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a User ID reads "Alice Adams <alice@example.org>". The primary component key points at the User ID with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "User ID binding signature". The text reads "Signature over Primary key, User ID" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "primary User ID flag", "algorithm preferences", "key expiration time (primary key)" and "key flags (primary key)". At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a User ID binding signature to associate the User ID with the primary key".
 
 Linking a User ID to an OpenPGP certificate
 ```
@@ -167,6 +173,7 @@ In OpenPGP v6, a direct key signature is the [preferred mechanism](https://www.i
 
 In an OpenPGP certificate, one User ID serves as the [*primary* User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-primary-user-id). The metadata in the binding self-signature on this User ID applies to the certificate's primary key.
 
+(self-revocations)=
 ### Revocation self-signatures: Invalidating certificate components
 
 Revocation self-signatures represent an important class of self-signatures, used primarily to invalidate components or retract prior signature statements.