--- /dev/null
+;;; -*-conf-*-
+;;;
+;;; Default configuration for infrastructure keys
+;;;
+;;; (c) 2012 Mark Wooding
+;;;
+
+;;;----- Licensing notice ---------------------------------------------------
+;;;
+;;; This file is part of the distorted.org.uk key management suite.
+;;;
+;;; distorted-keys is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 2 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; distorted-keys is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with distorted-keys; if not, write to the Free Software Foundation,
+;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+;;;--------------------------------------------------------------------------
+;;; Infrastructure keys conventions.
+;;;
+;;; Infrastructure keys are unusual in that they don't usually have access
+;;; control lists. Instead, they're used either automatically or as a direct
+;;; result of action by a privileged user.
+;;;
+;;; Some key types (e.g., `gnupg') try to associate meaningful names with
+;;; their keys. When infrastructure keys are generated, parameters are
+;;; provided containing fragments of information which might be useful when
+;;; constructing such names. These parameters are described in detail
+;;; below. The default profile for each type of infrastructure key defines
+;;; the following properties constructed from these fragments.
+;;;
+;;; %description A short but readable description of the key,
+;;; including its purpose and label.
+;;;
+;;; %tag A condensed tag, containing the label and other
+;;; identifying features, suitable for inclusion in the
+;;; local part of an email address.
+;;;
+;;; Commands which generate infrastructure keys accept an option, usually
+;;; `-p', to specify a profile by name; the default, which is almost always
+;;; what you want, is to use the appropriate top-level profile defined here.
+;;;
+;;; All profiles for infrastructure keys include one of these four sections:
+;;;
+;;; %infra-asec `Asymmetric secrecy', i.e., public-key encryption and
+;;; decryption.
+;;;
+;;; %infra-aint `Asymmetric integrity', i.e., issuing and verifying
+;;; digital signatures.
+;;;
+;;; %infra-ssec `Symmetric secrecy', i.e., standard symmetric
+;;; encryption and decryption.
+;;;
+;;; %infra-sint `Symmetric integrity', i.e., generating and verifyng
+;;; message authentication code tags.
+;;;
+;;; Each of these simply includes two further sections (though they're useful
+;;; if you want to select different key types for different purposes): one of
+;;; `%infra-asymm' or `%infra-symm' according to whether the key is
+;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int'
+;;; according to whether it's for secrecy or integrity.
+;;;
+;;; (Currently, there are no symmetric infrastructure keys.)
+
+[%infra-common]
+
+[%infra-sec]
+@include = %infra-common
+
+[%infra-int]
+@include = %infra-common
+
+[%infra-asymm]
+@include = %gnupg-infra %infra-common
+
+[%infra-symm]
+@include = %infra-common
+
+[%infra-asec]
+@include = %infra-asymm %infra-sec
+
+[%infra-aint]
+@include = %infra-asymm %infra-int
+
+[%infra-ssec]
+@include = %infra-symm %infra-sec
+
+[%infra-sint]
+@include = %infra-symm %infra-int
+
+;;;--------------------------------------------------------------------------
+;;; Keeper sets.
+;;;
+;;; Name fragment parameters supplied:
+;;;
+;;; keeper The label of the keeper set.
+;;;
+;;; seq Sequence number of this key in the set (from 0, up
+;;; to NUM - 1).
+;;;
+;;; num The number of keys in the set.
+
+[keeper]
+@include = %infra-asec
+%description = %{keeper} %{seq}/%{num}
+%tag = %{keeper}-%{seq}
+
+;;;--------------------------------------------------------------------------
+;;; Recovery keys.
+;;;
+;;; Name fragment parameters supplied.
+;;;
+;;; recov The label of the recovery key.
+
+[recovery]
+@include = %infra-asec
+%description = %{recov}
+%tag = %{recov}
+
+;;;--------------------------------------------------------------------------
+;;; Archive integrity keys.
+;;;
+;;; These are user keys (so that users can verify archives with them). The
+;;; properties here assume a parameter `label' is provided at generation
+;;; time.
+
+[archive]
+@include = %infra-aint %archive
+%description = %{label}
+%tag = %{label}
+
+[%archive]
+@include = %asymmetric-integrity
+acl-sign = $acl-%none
+
+;;;----- That's all, folks --------------------------------------------------
~mdw / distorted-keys / blobdiff