Integrate some diagrams with ch9

book/source/09-verification.md

@@ -83,6 +83,11 @@ At the same time, the specification states, that signature subpackets on the dir
 In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct-key signature.
 This is called attribute shadowing, since direct-key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets.
 
+```{figure} drawio/attribute-shadowing.png
+
+Attributes from the primary key's Direct-Key signature apply to the whole certificate, but can be shadowed by binding signatures.
+```
+
 Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets).
 
 ### Signature shadowing
@@ -91,8 +96,20 @@ When inspecting signatures on a component of an OpenPGP certificate, only the ne
 In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective.
 `A` is therefore shadowed.
 
+```{figure} drawio/cert-validity-subkey.png
+
+An example for how certificate validity can change with time.
+```
+
 Note: Signature shadowing is not to be mistaken with attribute shadowing.
 
+Attribute- and signature shadowing also combine, so it is not always obvious, what properties a key has at any given time.
+
+```{figure} drawio/dk-attributes-and-shadowing.png
+
+Signatures shadow another, based on reference time.
+```
+
 ### Revocations
 
 A signature might be *disqualified* by the presence of a revocation signature.