| 1 | ;;; -*-conf-*- |
| 2 | ;;; |
| 3 | ;;; Default configuration for infrastructure keys |
| 4 | ;;; |
| 5 | ;;; (c) 2012 Mark Wooding |
| 6 | ;;; |
| 7 | |
| 8 | ;;;----- Licensing notice --------------------------------------------------- |
| 9 | ;;; |
| 10 | ;;; This file is part of the distorted.org.uk key management suite. |
| 11 | ;;; |
| 12 | ;;; distorted-keys is free software; you can redistribute it and/or modify |
| 13 | ;;; it under the terms of the GNU General Public License as published by |
| 14 | ;;; the Free Software Foundation; either version 2 of the License, or |
| 15 | ;;; (at your option) any later version. |
| 16 | ;;; |
| 17 | ;;; distorted-keys is distributed in the hope that it will be useful, |
| 18 | ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 19 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 20 | ;;; GNU General Public License for more details. |
| 21 | ;;; |
| 22 | ;;; You should have received a copy of the GNU General Public License |
| 23 | ;;; along with distorted-keys; if not, write to the Free Software Foundation, |
| 24 | ;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 25 | |
| 26 | ;;;-------------------------------------------------------------------------- |
| 27 | ;;; Infrastructure keys conventions. |
| 28 | ;;; |
| 29 | ;;; Infrastructure keys are unusual in that they don't usually have access |
| 30 | ;;; control lists. Instead, they're used either automatically or as a direct |
| 31 | ;;; result of action by a privileged user. |
| 32 | ;;; |
| 33 | ;;; Some key types (e.g., `gnupg') try to associate meaningful names with |
| 34 | ;;; their keys. When infrastructure keys are generated, parameters are |
| 35 | ;;; provided containing fragments of information which might be useful when |
| 36 | ;;; constructing such names. These parameters are described in detail |
| 37 | ;;; below. The default profile for each type of infrastructure key defines |
| 38 | ;;; the following properties constructed from these fragments. |
| 39 | ;;; |
| 40 | ;;; %description A short but readable description of the key, |
| 41 | ;;; including its purpose and label. |
| 42 | ;;; |
| 43 | ;;; %tag A condensed tag, containing the label and other |
| 44 | ;;; identifying features, suitable for inclusion in the |
| 45 | ;;; local part of an email address. |
| 46 | ;;; |
| 47 | ;;; Commands which generate infrastructure keys accept an option, usually |
| 48 | ;;; `-p', to specify a profile by name; the default, which is almost always |
| 49 | ;;; what you want, is to use the appropriate top-level profile defined here. |
| 50 | ;;; |
| 51 | ;;; All profiles for infrastructure keys include one of these four sections: |
| 52 | ;;; |
| 53 | ;;; %infra-asec `Asymmetric secrecy', i.e., public-key encryption and |
| 54 | ;;; decryption. |
| 55 | ;;; |
| 56 | ;;; %infra-aint `Asymmetric integrity', i.e., issuing and verifying |
| 57 | ;;; digital signatures. |
| 58 | ;;; |
| 59 | ;;; %infra-ssec `Symmetric secrecy', i.e., standard symmetric |
| 60 | ;;; encryption and decryption. |
| 61 | ;;; |
| 62 | ;;; %infra-sint `Symmetric integrity', i.e., generating and verifyng |
| 63 | ;;; message authentication code tags. |
| 64 | ;;; |
| 65 | ;;; Each of these simply includes two further sections (though they're useful |
| 66 | ;;; if you want to select different key types for different purposes): one of |
| 67 | ;;; `%infra-asymm' or `%infra-symm' according to whether the key is |
| 68 | ;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int' |
| 69 | ;;; according to whether it's for secrecy or integrity. |
| 70 | ;;; |
| 71 | ;;; (Currently, there are no symmetric infrastructure keys.) |
| 72 | |
| 73 | [%infra-common] |
| 74 | |
| 75 | [%infra-sec] |
| 76 | @include = %infra-common |
| 77 | |
| 78 | [%infra-int] |
| 79 | @include = %infra-common |
| 80 | |
| 81 | [%infra-asymm] |
| 82 | @include = %gnupg-infra %infra-common |
| 83 | |
| 84 | [%infra-symm] |
| 85 | @include = %infra-common |
| 86 | |
| 87 | [%infra-asec] |
| 88 | @include = %infra-asymm %infra-sec |
| 89 | |
| 90 | [%infra-aint] |
| 91 | @include = %infra-asymm %infra-int |
| 92 | |
| 93 | [%infra-ssec] |
| 94 | @include = %infra-symm %infra-sec |
| 95 | |
| 96 | [%infra-sint] |
| 97 | @include = %infra-symm %infra-int |
| 98 | |
| 99 | ;;;-------------------------------------------------------------------------- |
| 100 | ;;; Keeper sets. |
| 101 | ;;; |
| 102 | ;;; Name fragment parameters supplied: |
| 103 | ;;; |
| 104 | ;;; keeper The label of the keeper set. |
| 105 | ;;; |
| 106 | ;;; seq Sequence number of this key in the set (from 0, up |
| 107 | ;;; to NUM - 1). |
| 108 | ;;; |
| 109 | ;;; num The number of keys in the set. |
| 110 | |
| 111 | [keeper] |
| 112 | @include = %infra-asec |
| 113 | %description = %{keeper} %{seq}/%{num} |
| 114 | %tag = %{keeper}-%{seq} |
| 115 | |
| 116 | ;;;-------------------------------------------------------------------------- |
| 117 | ;;; Recovery keys. |
| 118 | ;;; |
| 119 | ;;; Name fragment parameters supplied. |
| 120 | ;;; |
| 121 | ;;; recov The label of the recovery key. |
| 122 | |
| 123 | [recovery] |
| 124 | @include = %infra-asec |
| 125 | %description = %{recov} |
| 126 | %tag = %{recov} |
| 127 | |
| 128 | ;;;-------------------------------------------------------------------------- |
| 129 | ;;; Archive integrity keys. |
| 130 | ;;; |
| 131 | ;;; These are user keys (so that users can verify archives with them). The |
| 132 | ;;; properties here assume a parameter `label' is provided at generation |
| 133 | ;;; time. |
| 134 | |
| 135 | [archive] |
| 136 | @include = %infra-aint %archive |
| 137 | %description = %{label} |
| 138 | %tag = %{label} |
| 139 | |
| 140 | [%archive] |
| 141 | @include = %asymmetric-integrity |
| 142 | acl-sign = $acl-%none |
| 143 | |
| 144 | ;;;----- That's all, folks -------------------------------------------------- |