vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-10 19:59:40 +02:00
Code Issues Projects Releases Packages Wiki Activity

Signature shadowing

Browse source
This commit is contained in:
Paul Schaub 2023-11-09 19:56:20 +01:00 committed by Heiko Schaefer
parent 55396e8452
commit bcbbb0d901
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
book/source/09-verification.md
View file

@ -74,7 +74,7 @@ On the other hand, in order to verify a data signature over a text document, an
```{include} mermaid/09-sigtree.md ```{include} mermaid/09-sigtree.md
``` ```
### Attribute Shadowing ### Attribute shadowing
When determining preferences of a key, different signatures can be inspected. When determining preferences of a key, different signatures can be inspected.
For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature.
@ -85,6 +85,14 @@ This is called attribute shadowing, since direct-key signature subpackets apply
Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets).
### Signature shadowing
When inspecting signatures on a component of an OpenPGP certificate, only the newest, effective signature for each function is considered.
In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective.
`A` is therefore shadowed.
Note: Signature shadowing is not to be mistaken with attribute shadowing.
### Revocations ### Revocations
A signature might be *disqualified* by the presence of a revocation signature. A signature might be *disqualified* by the presence of a revocation signature.