From c1a0c1516857d86f5e050974e858426f154ab7ca Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Fri, 24 Nov 2023 12:46:03 +0100 Subject: [PATCH] Add a brief explanation of the metadata leak --- book/source/04-certificates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 11d069e..8ca2e27 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -441,11 +441,11 @@ After the update, the updated copy of the certificate will usually have a fresh ### Metadata leak of Social Graph -```{admonition} TODO -:class: warning +Third-party certifications, which are signatures made by other certificates, over identity components, form a back-bone of OpenPGP trust-model called the Web of Trust. The name stems from the fact that the collection of certifications forms a unidirectional graph resembling a web. Each edge of graph connects the signing certificate to the identity component associated with another certificate. -write -``` +OpenPGP software can inspect that graph, and coupled with trust data and a trust anchor (which usually is the certificate holder's own key), can infer whether the target certificate is genuine. + +Third-party certifications are published as part of the target certificate to facilitate the process of certificate authentication. Unfortunately, as a side-effect of this approach it's feasible to reconstruct the entire social graph of all people issuing certifications. The certification's signature creation time can be used to deduct whether the ceritifate owner attended a Key Signing Party (and if it was public where was it) and whom they interacted with. (unbound_user_ids)= ### Adding unbound User IDs to a certificate