From 53eb8de0d9c8a6262c68071aa9bada4d478a6fd2 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 5 Dec 2023 23:36:26 +0100 Subject: [PATCH] add footnote about privately held certifications --- book/source/04-certificates.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index d470156..b658093 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -385,7 +385,9 @@ When thinking about edge cases, it's useful to "assume the worst." For example: #### Differing "views" of a certificate exist -Another way to think about this discussion is that different OpenPGP users may have a different view of any certificate. There is a notional "canonical" version of the certificate, but we cannot assume that every user has exactly this copy. Besides propagation of elements that the certificate holder has linked to a certificate, third-party certifications are by design a distributed mechanism. A third-party certification is issued by a third party, and may or may not be distributed widely by them, or by the certificate holder. Not distributing third-party certifications widely is a workflow that may be entirely appropriate for some use cases. +Another way to think about this discussion is that different OpenPGP users may have a different view of any certificate. There is a notional "canonical" version of the certificate, but we cannot assume that every user has exactly this copy. Besides propagation of elements that the certificate holder has linked to a certificate, third-party certifications are by design a distributed mechanism. A third-party certification is issued by a third party, and may or may not be distributed widely by them, or by the certificate holder. Not distributing third-party certifications widely is a workflow that may be entirely appropriate for some use cases[^tpc-privacy]. + +[^tpc-privacy]: The two parties to a certification (the issuer and the target of the certification) may prefer not to publish their mutual association. Also see {ref}`metadata_graph`. As a general tendency, it is desirable for OpenPGP users to have the most complete possible view of all certificates that they interact with. @@ -564,6 +566,7 @@ Once the expiration time is reached, third parties, or ideally their OpenPGP sof After the update, the updated copy of the certificate will usually have a fresh expiration time. The same procedure will repeat once that new expiration time has been reached. +(metadata_graph)= ### Metadata leak of Social Graph Third-party certifications are signatures over identity components made by other certificates.