8. Signatures on components

This chapter examines OpenPGP signatures associated with certificate components, applying to:

Signatures on components are used to construct and maintain certificates, and to model the authentication of identities.

This chapter expands on topics introduced in the Certificates chapter.

8.1. Self-signatures vs third-party signatures

Component signatures in OpenPGP are categorized into two distinct types:

8.1.1. Self-signatures

Self-signatures are fundamental in creating and managing OpenPGP certificates. They bind the various components of a certificate into one combined data structure and facilitate the certificate’s life-cycle management.

Life-cycle management operations include:

Self-signatures are issued by the certificate’s owner using the certificate’s primary key.

Note

No key flag is required to issue self-signatures. An OpenPGP primary key can issue self-signatures by default.

8.1.2. Third-party signatures

Third-party signatures are pivotal in OpenPGP for decentralized authentication, forming the basis of the Web of Trust. They encode authentication-related statements about certificates and linked identities, establishing trustworthiness of identity claims.

Third-party signatures are used to make specific statements:

Note

The certify others key flag (0x01) is required to issue third-party signatures. By convention[1], only the certificate’s primary key can hold this key flag.

8.1.3. Distinct functions of self-signatures and third-party signatures

The meaning of an OpenPGP signature depends significantly on its issuer. Self-signatures and third-party signatures, even when of the same signature type, serve distinct functions. For example:

In another instance:

8.2. Self-signatures in certificate formation and management

Self-signatures play a crucial role in forming and managing the structure of OpenPGP certificates. These act as binding signatures, joining components and embedding metadata.

Internally, an OpenPGP certificate is essentially a series of packets strung sequentially. When a certificate is stored in a file format known as a transferable public key, packets can be easily added or removed.

To safeguard against unauthorized additions or alterations of components, OpenPGP uses cryptographic signatures. These validate that all components, such as subkeys or identity components, were linked to the OpenPGP certificate by its owner, using the primary key. While anyone can still store unrelated elements to a certificate dataset, OpenPGP implementations will reject them if they lack a valid cryptographic connection with the certificate.

Note

Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions.

However, there are legitimate instances in which third parties add “unbound” packets (i.e., not signed by the certificate’s owner) to a certificate:

8.2.1. Binding subkeys to a certificate

Subkeys are linked to OpenPGP certificates via a subkey binding signature (type ID 0x18). This signature type indicates the association of the primary key with the subkey.

A subkey binding signature binds a subkey to a primary key, and it embeds metadata into the signature packet. Once generated, the subkey binding signature packet is stored in the certificate directly after the subkey it binds.

Subkeys designated for signing purposes, identified by the signing key flag, represent a unique category and are handled differently. See Section 8.2.2.

Depicts a diagram on white background with the title "Subkey binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with encryption capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". The primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key".

Fig. 20 Linking an OpenPGP subkey to the primary key with a binding signature

Metadata for the subkey, such as the key expiration time and capabilities set by key flags, are included in subpackets within the subkey binding signature packet.

Note

The validity of a subkey is intrinsically linked to that of the primary key. An expired primary key renders any associated subkey invalid, regardless of the subkey’s own expiration setting.

Legally, a subkey may not have a specified expiration time. In such cases, its expiration aligns implicitly with that of the primary key. Additionally, the creation time of a subkey must always be more recent than that of the primary key.

8.2.2. Special case: Binding signing subkeys

Binding subkeys that possess the signing key flag to a certificate represents a unique scenario. While similar to the binding process of other subkeys, there is an additional, critical requirement: mutual association.

That is, to bind a signing-capable subkey to a primary key, it is insufficient that the “primary key wants to be associated with the subkey.” The subkey must explicitly signal that it “wants to be associated with the primary key.”

This mutual binding is crucial for security. Without it, an individual (e.g., Alice) could falsely claim a connection to another person’s (e.g., Bob’s) signing subkey. Alice could thus claim to have issued signatures which were actually issued by Bob. To prevent such scenarios, where an attacker might wrongfully “adopt” a victim’s signing subkey, a dual-layer of signatures is used:

Depicts a diagram on white background with the title "Subkey binding signature for signing subkeys". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a component key with signing capability is shown. The primary component key points at the lower component key with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "Subkey binding signature". The text reads "Signature over Primary key, Subkey" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "key flags" and "issuer fingerprint". Within the signature metadata a box with a green dotted frame extends the list with an inlined signature packet with the title "Embedded Signature; Primary key binding". Its inner text reads "Signature over Primary Key, Signing Subkey". The signature metadata area of this embedded signature holds the list "signature creation time" and "issuer fingerprint". The cryptographic signature symbol overlaps both metadata and general section of the embedded signature. From the signing component key a green dotted arrow line points to the embedded signature in the subkey binding signature with the text "Signing key creates a primary binding signature to associate itself with the primary key" ("primary binding signature" in bold). At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a subkey binding signature to bind the subkey to the primary key".

Fig. 21 Linking an OpenPGP signing subkey to the primary key with a binding signature, and an embedded primary key binding signature

The back signature signifies the mutuality of the subkey’s association with the primary key and is embedded as subpacket data within the subkey binding signature, reinforcing the authenticity of the binding.

8.2.3. Binding identities to a certificate

Self-signatures also play a vital role in binding identity components, such as User IDs or User Attributes, to an OpenPGP certificate.

To bind the User ID Alice Adams <alice@example.org> to her OpenPGP certificate (AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6  7F33 00F9 FB0E C457 378C D29F 1026 98B3), Alice would use a certification signature.

There are four types of certifying self-signature. The most commonly used type for binding User IDs is the positive certification (type ID 0x13). Alternatively, type 0x10, 0x11, or 0x12 might be used. This binding signature must be issued by the primary key.

The certifying self-signature packet – calculated over the primary key, User ID, and metadata of the signature packet – is added to the certificate, directly following the User ID packet.

Depicts a diagram on white background with the title "User ID binding signature". At the top left the symbol of a primary component key with certification capability is shown. At the bottom left the symbol of a User ID reads "Alice Adams <alice@example.org>". The primary component key points at the User ID with a full green arrow line. In the middle of the connection the small symbol of a signature packet is shown. On the right side of the diagram a detailed version of the signature packet can be found in a box with the title "User ID binding signature". The text reads "Signature over Primary key, User ID" and the box with "Signature metadata" in it contains the list "signature creation time", "key expiration time", "primary User ID flag", "algorithm preferences", "key expiration time (primary key)" and "key flags (primary key)". At the top of the diagram, the primary component key points at the detailed signature packet with a dotted green arrow line and the text "Primary key creates a User ID binding signature to associate the User ID with the primary key".

Fig. 22 Linking a User ID to an OpenPGP certificate

8.2.4. Adding global metadata to a certificate

The signatures that bind subkeys and identity components to a certificate serve dual purposes: linking components to the certificate and adding metadata to components.

While it is essential to add metadata that pertains to the entire certificate, this does not require binding any component to the certificate. In this case, the signature mechanism is used just to associate metadata with the certificate globally.

Two signature types can perform this function:

The types of metadata typically associated with the certificate through these methods include:

8.2.4.1. Direct key signature

A direct key signature serves as the preferred mechanism in OpenPGP v6 for defining metadata for the entire certificate, by associating it with the primary key.

8.2.4.2. Self-signature binding to primary User ID

In OpenPGP v4, another mechanism was often used for metadata management: integrating global certificate metadata within a User ID binding signature. This is specifically evident in the binding signature of the primary User ID of the OpenPGP certificate.

This method results in the primary User ID binding signature containing a mix of metadata: some specific to that User ID and some applicable to the certificate globally.

Given the widespread adoption of this mechanism in existing OpenPGP certificates, it is crucial that OpenPGP applications recognize and manage it.

8.2.5. Revocation self-signatures: Invalidating certificate components

Revocation self-signatures represent an important class of self-signatures, used primarily to invalidate components or retract prior signature statements.

There are several types of revocation signatures, each serving a specific purpose:

Common scenarios for using revocations include marking certificates or individual subkeys as unusable (e.g., when the private key has been compromised or replaced) or declaring User IDs as no longer valid.

Note

OpenPGP certificates act as append-only data structures in practice. Once elements of a certificate are published, they cannot be removed from key servers or third-party OpenPGP systems. Implementations usually merge all available components and signatures.

Revocations are used to mark components or signatures as invalid.

Note: certification signatures can be made irrevocable.

8.2.5.1. Hard vs soft revocations

Revocation signatures often include a Reason for Revocation subpacket, with a code specifying why the revocation was issued. This code determines whether the revocation is considered soft or hard.

Note

A revocation signature packet lacking a Reason for Revocation subpacket is interpreted as a hard revocation.

8.3. Authentication and delegation in third-party signatures

Third-party signatures in OpenPGP primarily encode authentication statements for identities and delegate trust decisions. These signatures can be manually inspected or processed as machine-readable artifacts by OpenPGP software, which evaluates the authenticity of certificates based on user-specified trust anchors.

8.3.1. Certifying identity components

When a signer issues a certifying signature on an identity, it indicates a verified link between the identity and the certificate. That is, the signer vouches for the identity claim.

For example, Alice can vouch that Bob’s User ID Bob Baker <bob@example.com> is legitimately linked with his certificate BB28 9FB7 A68D BFA8 C384 CCCD E205 8E02  D9C6 CD2F 3C7C 56AE 7FB5 3D97 1170 BA83, by creating a certification signature. Bob can then distribute Alice’s certifying signature<Certification> as part of his certificate.

Other users may or may not decide to rely on Alice’s statement to determine the authenticity of Bob’s certificate.

8.3.2. Trust signatures: delegating authentication

OpenPGP uses trust signature subpackets to delegate authentication decisions, designating the recipient certificate as a “trusted introducer” (or a trust anchor) for the user. This includes specifying trust depth (or level) for transitive delegations and quantifying trust with numerical values, indicating the extent of reliance on the introducer’s certifications.

Trust signature subpackets are applicable in third-party signatures, more specifically:

8.3.2.1. Trust depth/level

The “trust depth” (or level) in OpenPGP signifies the extent of transitive delegation within the authentication process. It determines how far a delegation can be extended from the original trusted introducer to subsequent intermediaries. Essentially, a certificate with a trust depth of more than one acts as a “meta introducer,” facilitating authentication decisions across multiple levels in the network.

A trust depth of 1 means relying on certifications made directly by the trusted introducer. The user’s OpenPGP software will accept certifications made directly by the introducer for authenticating identities.

However, when the trust depth is set higher, it implies a chain of delegation may extend beyond the initial introducer. The user’s software will recognize and accept certifications made not only by the primary introducer but also by other intermediaries whom the primary introducer designated as trusted introducers.

This allows for a more extensive network of trusted certifications, enabling a broader and more interconnected Web of Trust.

8.3.2.2. Trust amounts

The “trust amount,” with a numerical value ranging from 0 to 255, quantifies the degree of reliance on a delegation.

A higher value indicates greater degree of reliance. This quantification aids OpenPGP software in determining an aggregate amount of reliance, based on combined certifications from multiple trusted introducers.

8.3.2.3. Limiting delegation scope

When using trust signature subpackets, a delegation can be limited to identities that match a regular expression.

With this mechanism, for example, it is possible to delegate authentication decisions only for User IDs that match the email domain of an organization.

8.3.3. Web of Trust: Decentralized trust decisions

The Web of Trust in OpenPGP is a trust model that facilitates authentication decisions through a network of certifications and delegations. It is characterized by a so-called strong set, which refers to a group of certificates that are robustly interconnected via third-party certifications.

In this model, users independently delegate authentication decisions, choosing whose certification to rely on. This delegation is based on the certificates and third-party signatures available to them, with their OpenPGP software applying the Web of Trust mechanism to discern the reliability of each certificate for an identity.

The OpenPGP RFC doesn’t specify exactly how Web of Trust calculations are performed. It only defines the data formats on which these calculations can be performed.

8.3.4. Revoking third-party signatures

To reverse a previously issued third-party signature, the issuer can generate a certification revocation signature (type ID 0x30). The revocation must be issued by the same key that created the original signature or, in deprecated practice, by a designated Revocation Key.