From 70dd5f859b7622964f3c19c0d0dce1a6b2be9060 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 27 Nov 2023 21:48:00 +0100 Subject: [PATCH 1/7] update figure name --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index eb3ae14..7a7776c 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -49,7 +49,7 @@ An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number This documentation collectively refers to component keys and identity components as "the components of a certificate." ```{figure} diag/Components_of_an_OpenPGP_Certificate.svg -:name: fig-openpgp-certificate +:name: fig-openpgp-certificate-components :alt: Depicts a box with white background and the title "OpenPGP certificate". In the box several other boxes and accompanying texts, representing component keys and User IDs, are shown. There are three component keys boxes with a green frame, each with a dotted lower-left section, that shows the text "key creation time" and the green public key symbol in the lower right area. All three have a title, a unique fingerprint below the box and a unique capability keyword, perpendicular to the box on the right side. The top-most component key box has a light-green background, with the title "Component Key (primary)" and capability keyword "certification". The second-to-top component key box has a white background, with the title "Component Key" and capability keyword "encryption". The lowest component key box has a white background, with the title "Component Key" and capability keyword "signing". There are two User ID boxes, each with a black frame, open to top left and lower right corner. Both boxes have a user icon on the top left side, the title "User ID" on the top right side and a User ID string at the bottom. The top box has "Alice Adams " and the lower box has "Alice" as User ID string. Typical components in an OpenPGP certificate From 7ad240323f63df8063b2dbd82617ecf84ed1eaa7 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 27 Nov 2023 21:48:16 +0100 Subject: [PATCH 2/7] use DKS diagram --- book/source/04-certificates.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 7a7776c..b59d709 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -197,6 +197,13 @@ Key attributes, such as capabilities (like *signing* or *encryption*) and expira It is crucial to note that the components of an OpenPGP certificate remain static after their creation. The use of signatures to store metadata allows for subsequent modifications without altering the original components. For instance, a certificate holder can update the expiration time of a component by issuing a new, superseding signature. +```{figure} diag/Primary_key_metadata.png +:name: fig-primary-metadata +:alt: Depicts a direct key signature, associated with a primary component key. + +Metadata can be associated with the primary key using a *direct key signature* +``` + ### Defining operational capabilities of component keys with key flags Each component key has a set of ["key flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that delineate the operations a key can perform. From f6bec55df5c3fc5f23c3faeea5c770cfd4ed9f9e Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 27 Nov 2023 21:59:10 +0100 Subject: [PATCH 3/7] use "certificate with bindings" diagram --- book/source/04-certificates.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index b59d709..a3edc11 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -249,6 +249,17 @@ As a starting point, a certificate has a set of preferences that apply generally Additionally, OpenPGP allows modeling User ID-specific preferences. The idea is that a user may prefer a different suite of algorithms on their private email account compared to their work email account. Such identity-specific preferences can be expressed on the certifying signatures that bind User IDs to a certificate. +## A typical OpenPGP certificate, revisited + +Now that we've discussed how keys and identity components are linked together, we can have another look at the certificate from {numref}`fig-openpgp-certificate-components`. This time we include all of its binding signatures, as well as a direct key signature that contains metadata for the full certificate: + +```{figure} diag/OpenPGP_Certificate.png +:name: fig-openpgp-certificate +:alt: Depicts an OpenPGP certificate, including a set of components, binding signatures and a direct key signature on the primary key. + +A typical OpenPGP certificate, including binding signatures for all of its components, and a signature that associates metadata with the primary key +``` + ## Revocations When a certificate owner needs to invalidate certain components of their certificate, or even the entire certificate, they accomplish this through "revocation." Revoking the primary key renders the entire certificate invalid. From 98b65f767f11d3e4e0d5d29f1c8dfd3fae567c28 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 27 Nov 2023 22:22:33 +0100 Subject: [PATCH 4/7] don't use component key svg --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index a3edc11..df3d27f 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -69,7 +69,7 @@ OpenPGP component keys logically consist of an [asymmetric cryptographic keypair [^ecdh-parameters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are integral to the component key's constitutive and immutable properties. Those parameters specify a hash function and a symmetric encryption algorithm. -```{figure} diag/Component_Key.svg +```{figure} diag/Component_Key.png :name: fig-component-key :alt: Depicts a box with white background and no title. In the box one other box is shown. The inner box has a green frame, with a dotted lower-left section, that shows the text "key creation time" and the green public key symbol, as well as the red-dotted private key symbol in the lower right area. In the top left of the inner box the text reads "Component Key". From 100e29278ca9e62a2bef65b5fe69c62e4647d265 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 2 Dec 2023 17:48:01 +0000 Subject: [PATCH 5/7] add missing period --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index df3d27f..c73f079 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -201,7 +201,7 @@ It is crucial to note that the components of an OpenPGP certificate remain stati :name: fig-primary-metadata :alt: Depicts a direct key signature, associated with a primary component key. -Metadata can be associated with the primary key using a *direct key signature* +Metadata can be associated with the primary key using a *direct key signature*. ``` ### Defining operational capabilities of component keys with key flags From 463030f9450111caca692ba9561d3207060713c5 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 2 Dec 2023 17:54:27 +0000 Subject: [PATCH 6/7] edits to commit f6bec55df5 --- book/source/04-certificates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index c73f079..24b4a09 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -251,13 +251,13 @@ Additionally, OpenPGP allows modeling User ID-specific preferences. The idea is ## A typical OpenPGP certificate, revisited -Now that we've discussed how keys and identity components are linked together, we can have another look at the certificate from {numref}`fig-openpgp-certificate-components`. This time we include all of its binding signatures, as well as a direct key signature that contains metadata for the full certificate: +Following our review of how keys and identity components are linked, let's reexamine the OpenPGP certificate from {numref}`fig-openpgp-certificate-components`. Our focus not extends to all of its binding signatures and the direct key signature that contains metadata for the full certificate: ```{figure} diag/OpenPGP_Certificate.png :name: fig-openpgp-certificate -:alt: Depicts an OpenPGP certificate, including a set of components, binding signatures and a direct key signature on the primary key. +:alt: Depicts an OpenPGP certificate, including a set of components, binding signatures, and a direct key signature on the primary key. -A typical OpenPGP certificate, including binding signatures for all of its components, and a signature that associates metadata with the primary key +This shows a typical OpenPGP certificate, including binding signatures for all of its components, and a signature that associates metadata with the primary key. ``` ## Revocations From 05d95c07bf1031401e89f5c142b55cc92756baf6 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 2 Dec 2023 17:56:01 +0000 Subject: [PATCH 7/7] correct last fix in commit 463030f945 --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 24b4a09..7cb7f9f 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -251,7 +251,7 @@ Additionally, OpenPGP allows modeling User ID-specific preferences. The idea is ## A typical OpenPGP certificate, revisited -Following our review of how keys and identity components are linked, let's reexamine the OpenPGP certificate from {numref}`fig-openpgp-certificate-components`. Our focus not extends to all of its binding signatures and the direct key signature that contains metadata for the full certificate: +Following our review of how keys and identity components are linked, let's reexamine the OpenPGP certificate from {numref}`fig-openpgp-certificate-components`. Our focus now extends to all of its binding signatures and the direct key signature that contains metadata for the full certificate: ```{figure} diag/OpenPGP_Certificate.png :name: fig-openpgp-certificate