ch4: edits for clarity

book/source/04-certificates.md

@@ -1,63 +1,65 @@
 (certificates_chapter)=
-# Certificates / Keys
+# Certificates
 
-One central (and non-trivial) element of OpenPGP are certificates/keys. OpenPGP keys are relatively complex data structures, so it's good to have a clear mental model of them.
+One central (and non-trivial) element of OpenPGP are certificates (also often called "keys"). OpenPGP certificates are relatively complex data structures, so it's good to have a clear mental model of them.
 
-## Terminology: various meanings of "key"
+## Terminology: The various meanings of "key"
 
-[Two dimensions: 1. private/public, 2. level of abstraction]
+### Private vs. public keys
 
-In the OpenPGP space, the term "key" has historically been used for three
+First, without additional context, the word "key" can refer either to public, or to private key material.
-distinct concepts, at three layers, all related to each other:
 
-- (Bare) "cryptographic keys" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`.
+### Layers of keys
-- OpenPGP *component keys*: "OpenPGP primary keys" and "OpenPGP subkeys". Those are building blocks of OpenPGP certificates. They consist of a (bare) cryptographic keypair, plus some invariant metadata (e.g. key creation time).
-- "OpenPGP certificate" (often called "OpenPGP key"): These consist of a number of component keys plus additional elements, such as identity information. (OpenPGP key servers serve this type of object).
 
-In the following section, we'll look more closely at these three layers.
+Independent of the distinction between private and public keys, in the OpenPGP space, the term "key" has historically been used to refer to three different layers, all related but distinct:
+
+- A (bare) "cryptographic key" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`.
+- An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consist of a (bare) cryptographic keypair combined some invariant metadata (e.g. key creation time).
+- An "OpenPGP key", or "OpenPGP certificate": Consists of a number of component keys plus additional elements, such as identity information. (OpenPGP "key servers" serve this type of object).
+
+In the following section, we'll look more closely at each of these three layers.
 
 
 ## "OpenPGP keys/certificates": collections of cryptographic keys, identity information and other metadata
 
-A complete "OpenPGP certificate" or "OpenPGP key" is composed of an arbitrary number of elements.
+A full "OpenPGP certificate" (or "OpenPGP key") is composed of an arbitrary number of elements.
 
-All elements of an OpenPGP certificate are structured around one central cryptographic key: the *primary key*. The primary key acts like a personal CA for the key's owner: It can make cryptographic statements about subkeys, identities, expiration times, revocation, ...
+All elements of an OpenPGP certificate are structured around one central component key: the *OpenPGP primary key*. This primary key acts like a personal CA for the key's owner: It can make cryptographic statements about subkeys, identities, expiration times, revocation, ...
 
-OpenPGP keys are often long-lived and may be changed (typically by their owner), over time.
+Note that OpenPGP keys are often long-lived and may be changed (typically by their owner), over time.
 
 ### OpenPGP component keys
 
-An OpenPGP component key (either the "primary key", or a "subkey") consists mainly of a cryptographic keypair:
+An OpenPGP component key (either the "OpenPGP primary key," or an "OpenPGP subkey") consists mainly of an asymmetric cryptographic keypair:
 
 ![Image](diag/cryptographic_keys.png "A cryptographic keypair")
 
 A cryptographic keypair, in turn, consists of a private and a public part. In this document, we'll show the public part of a cryptographic key in green, and the private part in red.
 
-We'll usually visualize cryptographic keypairs in a more compact form:
+We'll usually visualize cryptographic keypairs in this more compact form:
 
 ![Image](diag/keypair.png "A cryptographic keypair")
 
-Note that in many contexts, only the public part is present:
+Note that in many contexts, only the public part is present (more on that later):
 
 ![Image](diag/keypair_pub.png "Only the public part of a cryptographic keypair")
 
-More on that later.
+Besides a cryptographic keypair, an OpenPGP component key contains additional metadata (including a creation timestamp):
-
-An OpenPGP component key consists of
-
-- a cryptographic keypair, and
-- additional metadata (including a creation timestamp).
 
 ![Image](diag/primary_key.png "An OpenPGP component key")
 
-For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of key material and metadata:
+For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and metadata:
 
 ![Image](diag/fingerprint.png "Each OpenPGP component key has a fingerprint")
 
 The fingerprint of our example component OpenPGP key is `B3D2 7B09 FBA4 1235 2B41  8972 C8B8 6AC4 2455 4239` [^keyid].
 
-The fingerprint of the primary key has a central role. It is used as the unique identifier for the full OpenPGP certificate.
+### Special role of the OpenPGP primary key
 
+The primary OpenPGP key has a central role:
+
+- Its fingerprint is used as the unique identifier for the full OpenPGP certificate.
+- In addition, it is used for lifecycle operations (e.g. adding or invalidating subkeys or identities in a certificate)
 
 ## What is in a certificate (Structure) / Components of an OpenPGP key/certificate