From 54f0bb31e4715ff371a1d7053083f970fb5e6049 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 7 Dec 2023 12:02:07 +0100 Subject: [PATCH] fix suggested by paul --- book/source/04-certificates.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 18f20b9..1e8110f 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -326,9 +326,11 @@ Component keys use *Key Expiration Time* subpackets for expressing the expiratio Since OpenPGP certificates act as ["append only" data structures](append-only), existing components or signatures cannot simply be "removed." Instead, they can be marked as invalid by issuing revocation signatures. These additional revocation signatures are added to the certificate. -Each component, such as User ID and a subkey, may be revoked without affecting the rest of the certificate. +Each component, such as User ID and a subkey, can be revoked without affecting the rest of the certificate. -Revoking the primary key with a [*Key revocation signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-revocation-signature-ty) (type ID `0x20`) is a special case: This marks the entire certificate, including all of its components unusable. +The *primary User ID* is an exception: when it is revoked, the entire certificate is considered invalid. + +Revoking the primary key with a [*Key revocation signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-revocation-signature-ty) (type ID `0x20`) also marks the entire certificate, including all of its components, as invalid and unusable. #### Semantics of Revocations