;;; -*-conf-*- ;;; ;;; Default configuration for infrastructure keys ;;; ;;; (c) 2012 Mark Wooding ;;; ;;;----- Licensing notice --------------------------------------------------- ;;; ;;; This file is part of the distorted.org.uk key management suite. ;;; ;;; distorted-keys is free software; you can redistribute it and/or modify ;;; it under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 2 of the License, or ;;; (at your option) any later version. ;;; ;;; distorted-keys is distributed in the hope that it will be useful, ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with distorted-keys; if not, write to the Free Software Foundation, ;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ;;;-------------------------------------------------------------------------- ;;; Infrastructure keys conventions. ;;; ;;; Infrastructure keys are unusual in that they don't usually have access ;;; control lists. Instead, they're used either automatically or as a direct ;;; result of action by a privileged user. ;;; ;;; Some key types (e.g., `gnupg') try to associate meaningful names with ;;; their keys. When infrastructure keys are generated, parameters are ;;; provided containing fragments of information which might be useful when ;;; constructing such names. These parameters are described in detail ;;; below. The default profile for each type of infrastructure key defines ;;; the following properties constructed from these fragments. ;;; ;;; %description A short but readable description of the key, ;;; including its purpose and label. ;;; ;;; %tag A condensed tag, containing the label and other ;;; identifying features, suitable for inclusion in the ;;; local part of an email address. ;;; ;;; Commands which generate infrastructure keys accept an option, usually ;;; `-p', to specify a profile by name; the default, which is almost always ;;; what you want, is to use the appropriate top-level profile defined here. ;;; ;;; All profiles for infrastructure keys include one of these four sections: ;;; ;;; %infra-asec `Asymmetric secrecy', i.e., public-key encryption and ;;; decryption. ;;; ;;; %infra-aint `Asymmetric integrity', i.e., issuing and verifying ;;; digital signatures. ;;; ;;; %infra-ssec `Symmetric secrecy', i.e., standard symmetric ;;; encryption and decryption. ;;; ;;; %infra-sint `Symmetric integrity', i.e., generating and verifyng ;;; message authentication code tags. ;;; ;;; Each of these simply includes two further sections (though they're useful ;;; if you want to select different key types for different purposes): one of ;;; `%infra-asymm' or `%infra-symm' according to whether the key is ;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int' ;;; according to whether it's for secrecy or integrity. ;;; ;;; (Currently, there are no symmetric infrastructure keys.) [%infra-common] [%infra-sec] @include = %infra-common [%infra-int] @include = %infra-common [%infra-asymm] @include = %gnupg-infra %infra-common [%infra-symm] @include = %infra-common [%infra-asec] @include = %infra-asymm %infra-sec [%infra-aint] @include = %infra-asymm %infra-int [%infra-ssec] @include = %infra-symm %infra-sec [%infra-sint] @include = %infra-symm %infra-int ;;;-------------------------------------------------------------------------- ;;; Keeper sets. ;;; ;;; Name fragment parameters supplied: ;;; ;;; keeper The label of the keeper set. ;;; ;;; seq Sequence number of this key in the set (from 0, up ;;; to NUM - 1). ;;; ;;; num The number of keys in the set. [keeper] @include = %infra-asec %description = %{keeper} %{seq}/%{num} %tag = %{keeper}-%{seq} ;;;-------------------------------------------------------------------------- ;;; Recovery keys. ;;; ;;; Name fragment parameters supplied. ;;; ;;; recov The label of the recovery key. [recovery] @include = %infra-asec %description = %{recov} %tag = %{recov} ;;;-------------------------------------------------------------------------- ;;; Archive integrity keys. ;;; ;;; These are user keys (so that users can verify archives with them). The ;;; properties here assume a parameter `label' is provided at generation ;;; time. [archive] @include = %infra-aint %archive %description = %{label} %tag = %{label} [%archive] @include = %asymmetric-integrity acl-sign = $acl-%none ;;;----- That's all, folks --------------------------------------------------