From c2c7ad63bc27c1acaabf1723a1c422de44a9ad0d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 7 Dec 2023 22:04:57 +0100 Subject: [PATCH] use "OpenPGP subsystem" to talk about certificate store state --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 3e97a03..8fbeb2c 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -509,7 +509,7 @@ However, in a different context, the same certificate might be fetched to verify Disadvantages/risks of minimizing certificates: - A minimized certificate does not present a full view of how it (and the validity of its components) evolved over time. -- As an OpenPGP instance learns about more certificates, third-party certifications that were previously unusable may become usable. Dropping third-party certifications by unknown issuers as a part of minimization prevents this mechanism. +- As the OpenPGP subsystem on a user's computer learns about more certificates, third-party certifications that were previously unusable may become usable. Dropping third-party certifications by unknown issuers as a part of minimization prevents this mechanism. - An OpenPGP implementation that minimizes a certificate might remove component keys that it cannot use itself (e.g. because it doesn't support the algorithm of that key), even if the *receiving* implementation supports them. - Refreshing certificates from key servers may inflate the certificate again, since OpenPGP certificates tend to act as [append-only structures](append-only). - Some libraries, such as [anonaddy-sequoia](https://gitlab.com/willbrowning/anonaddy-sequoia/-/blob/master/src/sequoia.rs?ref_type=heads#L125) strip unusable encryption subkeys, but retain at least one subkey, even if all subkeys are expired. Although this may leave only an expired encryption subkey in the certificate, this presents a better UX for the end-user who potentially is still in possession of the private key for decryption.