From b04b823830f1231983831d2f91ccf1ddfc68054d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Nov 2023 15:38:09 +0100 Subject: [PATCH] Integrate some diagrams with ch9 --- book/source/09-verification.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 829800e..d458144 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -83,6 +83,11 @@ At the same time, the specification states, that signature subpackets on the dir In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct-key signature. This is called attribute shadowing, since direct-key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. +```{figure} drawio/attribute-shadowing.png + +Attributes from the primary key's Direct-Key signature apply to the whole certificate, but can be shadowed by binding signatures. +``` + Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). ### Signature shadowing @@ -91,8 +96,20 @@ When inspecting signatures on a component of an OpenPGP certificate, only the ne In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. `A` is therefore shadowed. +```{figure} drawio/cert-validity-subkey.png + +An example for how certificate validity can change with time. +``` + Note: Signature shadowing is not to be mistaken with attribute shadowing. +Attribute- and signature shadowing also combine, so it is not always obvious, what properties a key has at any given time. + +```{figure} drawio/dk-attributes-and-shadowing.png + +Signatures shadow another, based on reference time. +``` + ### Revocations A signature might be *disqualified* by the presence of a revocation signature.