diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index e6cbd22..be0af7a 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -238,9 +238,20 @@ The popular [SKS keyserver network experienced certificate flooding firsthand](h
 This section needs to be written
 ```
 
-
 ## Advanced topics
 
+### When are certificates valid?
+
+- Full certificate: Primary revoked/key expired/binding signature expired,
+- Subkey: Revoked/key expired/binding signature expired
+- User ID: revoked, binding expired, ...
+
+```{admonition} TODO
+:class: warning
+
+write, link to chapter 9
+```
+
 (append-only)=
 ### Certificates are effectively append-only data structures
 
@@ -419,18 +430,6 @@ Note that regardless of the OpenPGP version, software that relies on 8-byte Key
 
 The historical 4-byte "short Key IDs" format should not be used anywhere, anymore (finding collisions in a 32-bit keyspace has been [trivial for a long time](https://evil32.com/)).
 
-### When are certificates valid?
-
-- Full certificate: Primary revoked/key expired/binding signature expired,
-- Subkey: Revoked/key expired/binding signature expired
-- User ID: revoked, binding expired, ...
-
-```{admonition} TODO
-:class: warning
-
-write, link to chapter 9
-```
-
 (cert-freshness)=
 ### Certificate freshness: Triggering updates with expiration