Other changes

book/source/09-verification.md

@@ -5,9 +5,23 @@
 
 ## When are signatures valid?
 
+There is a difference between signature *correctness* and *validity*.
+A signature might be correct, but still disqualify as a valid signature.
+
 The validity of a signature is constrained by a number of conditions.
-First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact.
+First and foremost, a signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact.
-Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate.
+
+### Temporal validity
+
+A signature is valid only for a constrained period of time.
+A hard, lower constraint for the validity period is the creation time of the signature.
+An upper constraint might be its expiration time.
+
+When checking a signature for validity, a reference time is defined.
+For an email that might be the signature creation time itself, or the reception date.
+For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration.
+
+Futhermore, signatures on a certificate form a chain, or rather a tree of signatures, originating from the certificates primary key down to signatures issued by the certificate.
 In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account.
 
 For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate.