diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 40280c0..c07e364 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -345,7 +345,11 @@ In addition, GnuPG offers two explicit methods for certificate minimization, des Some implementations, such as Sequoia, prefer to rely on the full historical set of self-signatures to construct a view of the certificate over time. This way, signatures can be verified at different reference times. In this model, removing superseded self-signatures can cause problems with the validation of historical signature. -An example for the tension between minimization and nuanced verification of the [temporal validity](temporal-validity) of signatures can be seen in the case of [rpm-sequoia](https://github.com/rpm-software-management/rpm-sequoia/issues/50#issuecomment-1689642607). To handle the limited availability of historical self-signatures on certificates in the wild, the rpm-sequoia implementation was adjusted to accept binding self-signatures that predate the current self-signature of the primary key[^primary-self-sig]. +An example for the tension between minimization and nuanced verification of the [temporal validity](temporal-validity) of signatures can be seen in the case of rpm-sequoia. See [this discussion](https://github.com/rpm-software-management/rpm-sequoia/issues/50#issuecomment-1689642607) for details: + +Initially, when checking the validity of a data signature for a software package, `rpm-sequoia` used the signature's creation time as the reference time. However, the availability of historical self-signatures in certificates is limited. So sometimes only a more recent self-signature for the primary key is available, and there is no evidence that the primary key was valid at the reference time. + +To deal with this reality, the rpm-sequoia implementation was adjusted to accept data signatures that predate the validity of the current primary key self-signature[^primary-self-sig]. [^primary-self-sig]: Which in OpenPGP version 4 is often a primary User ID binding signature.