vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

add footnote about privately held certifications

Browse source
This commit is contained in:
Heiko Schaefer 2023-12-05 23:36:26 +01:00
parent 9ece6aa578
commit 53eb8de0d9
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
book/source/04-certificates.md
View file

@ -385,7 +385,9 @@ When thinking about edge cases, it's useful to "assume the worst." For example:
#### Differing "views" of a certificate exist
Another way to think about this discussion is that different OpenPGP users may have a different view of any certificate. There is a notional "canonical" version of the certificate, but we cannot assume that every user has exactly this copy. Besides propagation of elements that the certificate holder has linked to a certificate, third-party certifications are by design a distributed mechanism. A third-party certification is issued by a third party, and may or may not be distributed widely by them, or by the certificate holder. Not distributing third-party certifications widely is a workflow that may be entirely appropriate for some use cases.
Another way to think about this discussion is that different OpenPGP users may have a different view of any certificate. There is a notional "canonical" version of the certificate, but we cannot assume that every user has exactly this copy. Besides propagation of elements that the certificate holder has linked to a certificate, third-party certifications are by design a distributed mechanism. A third-party certification is issued by a third party, and may or may not be distributed widely by them, or by the certificate holder. Not distributing third-party certifications widely is a workflow that may be entirely appropriate for some use cases[^tpc-privacy].
[^tpc-privacy]: The two parties to a certification (the issuer and the target of the certification) may prefer not to publish their mutual association. Also see {ref}`metadata_graph`.
As a general tendency, it is desirable for OpenPGP users to have the most complete possible view of all certificates that they interact with.
@ -564,6 +566,7 @@ Once the expiration time is reached, third parties, or ideally their OpenPGP sof
After the update, the updated copy of the certificate will usually have a fresh expiration time. The same procedure will repeat once that new expiration time has been reached.
(metadata_graph)=
### Metadata leak of Social Graph
Third-party certifications are signatures over identity components made by other certificates.