[distorted-keys] / profile.d / 02infra

;;; -*-conf-*-
;;;
;;; Default configuration for infrastructure keys
;;;
;;; (c) 2012 Mark Wooding
;;;

;;;----- Licensing notice ---------------------------------------------------
;;;
;;; This file is part of the distorted.org.uk key management suite.
;;;
;;; distorted-keys is free software; you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 2 of the License, or
;;; (at your option) any later version.
;;;
;;; distorted-keys is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with distorted-keys; if not, write to the Free Software Foundation,
;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

;;;--------------------------------------------------------------------------
;;; Infrastructure keys conventions.
;;;
;;; Infrastructure keys are unusual in that they don't usually have access
;;; control lists.  Instead, they're used either automatically or as a direct
;;; result of action by a privileged user.
;;;
;;; Some key types (e.g., `gnupg') try to associate meaningful names with
;;; their keys.  When infrastructure keys are generated, parameters are
;;; provided containing fragments of information which might be useful when
;;; constructing such names.  These parameters are described in detail
;;; below.  The default profile for each type of infrastructure key defines
;;; the following properties constructed from these fragments.
;;;
;;; %description	A short but readable description of the key,
;;;			including its purpose and label.
;;;
;;; %tag		A condensed tag, containing the label and other
;;;			identifying features, suitable for inclusion in the
;;;			local part of an email address.
;;;
;;; Commands which generate infrastructure keys accept an option, usually
;;; `-p', to specify a profile by name; the default, which is almost always
;;; what you want, is to use the appropriate top-level profile defined here.
;;;
;;; All profiles for infrastructure keys include one of these four sections:
;;;
;;; %infra-asec		`Asymmetric secrecy', i.e., public-key encryption and
;;;			decryption.
;;;
;;; %infra-aint		`Asymmetric integrity', i.e., issuing and verifying
;;;			digital signatures.
;;;
;;; %infra-ssec		`Symmetric secrecy', i.e., standard symmetric
;;;			encryption and decryption.
;;;
;;; %infra-sint		`Symmetric integrity', i.e., generating and verifyng
;;;			message authentication code tags.
;;;
;;; Each of these simply includes two further sections (though they're useful
;;; if you want to select different key types for different purposes): one of
;;; `%infra-asymm' or `%infra-symm' according to whether the key is
;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int'
;;; according to whether it's for secrecy or integrity.
;;;
;;; (Currently, there are no symmetric infrastructure keys.)

[%infra-common]

[%infra-sec]
@include = %infra-common

[%infra-int]
@include = %infra-common

[%infra-asymm]
@include = %gnupg-infra %infra-common

[%infra-symm]
@include = %infra-common

[%infra-asec]
@include = %infra-asymm %infra-sec

[%infra-aint]
@include = %infra-asymm %infra-int

[%infra-ssec]
@include = %infra-symm %infra-sec

[%infra-sint]
@include = %infra-symm %infra-int

;;;--------------------------------------------------------------------------
;;; Keeper sets.
;;;
;;; Name fragment parameters supplied:
;;;
;;; keeper		The label of the keeper set.
;;;
;;; seq			Sequence number of this key in the set (from 0, up
;;;			to NUM - 1).
;;;
;;; num			The number of keys in the set.

[keeper]
@include = %infra-asec
%description = %{keeper} %{seq}/%{num}
%tag = %{keeper}-%{seq}

;;;--------------------------------------------------------------------------
;;; Recovery keys.
;;;
;;; Name fragment parameters supplied.
;;;
;;; recov		The label of the recovery key.

[recovery]
@include = %infra-asec
%description = %{recov}
%tag = %{recov}

;;;--------------------------------------------------------------------------
;;; Archive integrity keys.
;;;
;;; These are user keys (so that users can verify archives with them).  The
;;; properties here assume a parameter `label' is provided at generation
;;; time.

[archive]
@include = %infra-aint %archive
%description = %{label}
%tag = %{label}

[%archive]
@include = %asymmetric-integrity
acl-sign = $acl-%none

;;;----- That's all, folks --------------------------------------------------
Commit	Line	Data
c0979a8f MW	1	;;; --conf--
	2	;;;
	3	;;; Default configuration for infrastructure keys
	4	;;;
	5	;;; (c) 2012 Mark Wooding
	6	;;;
	7
	8	;;;----- Licensing notice ---------------------------------------------------
	9	;;;
	10	;;; This file is part of the distorted.org.uk key management suite.
	11	;;;
	12	;;; distorted-keys is free software; you can redistribute it and/or modify
	13	;;; it under the terms of the GNU General Public License as published by
	14	;;; the Free Software Foundation; either version 2 of the License, or
	15	;;; (at your option) any later version.
	16	;;;
	17	;;; distorted-keys is distributed in the hope that it will be useful,
	18	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	;;; GNU General Public License for more details.
	21	;;;
	22	;;; You should have received a copy of the GNU General Public License
	23	;;; along with distorted-keys; if not, write to the Free Software Foundation,
	24	;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25
	26	;;;--------------------------------------------------------------------------
	27	;;; Infrastructure keys conventions.
	28	;;;
	29	;;; Infrastructure keys are unusual in that they don't usually have access
	30	;;; control lists. Instead, they're used either automatically or as a direct
	31	;;; result of action by a privileged user.
	32	;;;
	33	;;; Some key types (e.g., `gnupg') try to associate meaningful names with
	34	;;; their keys. When infrastructure keys are generated, parameters are
	35	;;; provided containing fragments of information which might be useful when
	36	;;; constructing such names. These parameters are described in detail
	37	;;; below. The default profile for each type of infrastructure key defines
	38	;;; the following properties constructed from these fragments.
	39	;;;
	40	;;; %description A short but readable description of the key,
	41	;;; including its purpose and label.
	42	;;;
	43	;;; %tag A condensed tag, containing the label and other
	44	;;; identifying features, suitable for inclusion in the
	45	;;; local part of an email address.
	46	;;;
	47	;;; Commands which generate infrastructure keys accept an option, usually
	48	;;; `-p', to specify a profile by name; the default, which is almost always
	49	;;; what you want, is to use the appropriate top-level profile defined here.
	50	;;;
	51	;;; All profiles for infrastructure keys include one of these four sections:
	52	;;;
	53	;;; %infra-asec `Asymmetric secrecy', i.e., public-key encryption and
	54	;;; decryption.
	55	;;;
	56	;;; %infra-aint `Asymmetric integrity', i.e., issuing and verifying
	57	;;; digital signatures.
	58	;;;
	59	;;; %infra-ssec `Symmetric secrecy', i.e., standard symmetric
	60	;;; encryption and decryption.
	61	;;;
	62	;;; %infra-sint `Symmetric integrity', i.e., generating and verifyng
	63	;;; message authentication code tags.
	64	;;;
65	;;; Each of these simply includes two further sections (though they're useful
66	;;; if you want to select different key types for different purposes): one of
67	;;; `%infra-asymm' or `%infra-symm' according to whether the key is
68	;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int'
69	;;; according to whether it's for secrecy or integrity.
70	;;;
71	;;; (Currently, there are no symmetric infrastructure keys.)
72
73	[%infra-common]
74
75	[%infra-sec]
76	@include = %infra-common
77
78	[%infra-int]
79	@include = %infra-common
80
81	[%infra-asymm]
82	@include = %gnupg-infra %infra-common
83
84	[%infra-symm]
85	@include = %infra-common
86
87	[%infra-asec]
88	@include = %infra-asymm %infra-sec
89
90	[%infra-aint]
91	@include = %infra-asymm %infra-int
92
93	[%infra-ssec]
94	@include = %infra-symm %infra-sec
95
96	[%infra-sint]
97	@include = %infra-symm %infra-int
98
99	;;;--------------------------------------------------------------------------
100	;;; Keeper sets.
101	;;;
102	;;; Name fragment parameters supplied:
103	;;;
104	;;; keeper The label of the keeper set.
105	;;;
106	;;; seq Sequence number of this key in the set (from 0, up
107	;;; to NUM - 1).
108	;;;
109	;;; num The number of keys in the set.
110
111	[keeper]
112	@include = %infra-asec
113	%description = %{keeper} %{seq}/%{num}
114	%tag = %{keeper}-%{seq}
115
116	;;;--------------------------------------------------------------------------
117	;;; Recovery keys.
118	;;;
119	;;; Name fragment parameters supplied.
120	;;;
121	;;; recov The label of the recovery key.
122
123	[recovery]
124	@include = %infra-asec
125	%description = %{recov}
126	%tag = %{recov}
127
128	;;;--------------------------------------------------------------------------
129	;;; Archive integrity keys.
130	;;;
131	;;; These are user keys (so that users can verify archives with them). The
132	;;; properties here assume a parameter `label' is provided at generation
133	;;; time.
134
135	[archive]
136	@include = %infra-aint %archive
137	%description = %{label}
138	%tag = %{label}
139
140	[%archive]
141	@include = %asymmetric-integrity
142	acl-sign = $acl-%none
143
144	;;;----- That's all, folks --------------------------------------------------