mirror of
https://codeberg.org/openpgp/notes.git
synced 2025-09-12 04:39:40 +02:00
Start content of verification chapter
This commit is contained in:
Heiko Schaefer
parent
a2c2beb73a
commit
bac7d8cf16
2 changed files with 37 additions and 0 deletions
|
|
@ -10,6 +10,20 @@ SPDX-License-Identifier: CC-BY-SA-4.0
|
|||
|
||||
## When are signatures valid?
|
||||
|
||||
The validity of a signature is constrained by a number of conditions.
|
||||
First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
|
||||
Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
|
||||
In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
|
||||
|
||||
For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.
|
||||
|
||||
The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID.
|
||||
Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature.
|
||||
|
||||
```{include} mermaid/09-sigtree.md
|
||||
```
|
||||
|
||||
|
||||
- Validity as a tree of signatures
|
||||
|
||||
## Which signatures take precedence?
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue