X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/distorted-keys/blobdiff_plain/32d4aa8c0a6247b701aec2730a9cb35e04ac6311..c0979a8f5abf02b454aee797e2aa028360186cc4:/profile.d/02infra diff --git a/profile.d/02infra b/profile.d/02infra new file mode 100644 index 0000000..8412bc2 --- /dev/null +++ b/profile.d/02infra @@ -0,0 +1,144 @@ +;;; -*-conf-*- +;;; +;;; Default configuration for infrastructure keys +;;; +;;; (c) 2012 Mark Wooding +;;; + +;;;----- Licensing notice --------------------------------------------------- +;;; +;;; This file is part of the distorted.org.uk key management suite. +;;; +;;; distorted-keys is free software; you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 2 of the License, or +;;; (at your option) any later version. +;;; +;;; distorted-keys is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with distorted-keys; if not, write to the Free Software Foundation, +;;; Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +;;;-------------------------------------------------------------------------- +;;; Infrastructure keys conventions. +;;; +;;; Infrastructure keys are unusual in that they don't usually have access +;;; control lists. Instead, they're used either automatically or as a direct +;;; result of action by a privileged user. +;;; +;;; Some key types (e.g., `gnupg') try to associate meaningful names with +;;; their keys. When infrastructure keys are generated, parameters are +;;; provided containing fragments of information which might be useful when +;;; constructing such names. These parameters are described in detail +;;; below. The default profile for each type of infrastructure key defines +;;; the following properties constructed from these fragments. +;;; +;;; %description A short but readable description of the key, +;;; including its purpose and label. +;;; +;;; %tag A condensed tag, containing the label and other +;;; identifying features, suitable for inclusion in the +;;; local part of an email address. +;;; +;;; Commands which generate infrastructure keys accept an option, usually +;;; `-p', to specify a profile by name; the default, which is almost always +;;; what you want, is to use the appropriate top-level profile defined here. +;;; +;;; All profiles for infrastructure keys include one of these four sections: +;;; +;;; %infra-asec `Asymmetric secrecy', i.e., public-key encryption and +;;; decryption. +;;; +;;; %infra-aint `Asymmetric integrity', i.e., issuing and verifying +;;; digital signatures. +;;; +;;; %infra-ssec `Symmetric secrecy', i.e., standard symmetric +;;; encryption and decryption. +;;; +;;; %infra-sint `Symmetric integrity', i.e., generating and verifyng +;;; message authentication code tags. +;;; +;;; Each of these simply includes two further sections (though they're useful +;;; if you want to select different key types for different purposes): one of +;;; `%infra-asymm' or `%infra-symm' according to whether the key is +;;; asymmetric or symmetric, and one of `%infra-sec' or `%infra-int' +;;; according to whether it's for secrecy or integrity. +;;; +;;; (Currently, there are no symmetric infrastructure keys.) + +[%infra-common] + +[%infra-sec] +@include = %infra-common + +[%infra-int] +@include = %infra-common + +[%infra-asymm] +@include = %gnupg-infra %infra-common + +[%infra-symm] +@include = %infra-common + +[%infra-asec] +@include = %infra-asymm %infra-sec + +[%infra-aint] +@include = %infra-asymm %infra-int + +[%infra-ssec] +@include = %infra-symm %infra-sec + +[%infra-sint] +@include = %infra-symm %infra-int + +;;;-------------------------------------------------------------------------- +;;; Keeper sets. +;;; +;;; Name fragment parameters supplied: +;;; +;;; keeper The label of the keeper set. +;;; +;;; seq Sequence number of this key in the set (from 0, up +;;; to NUM - 1). +;;; +;;; num The number of keys in the set. + +[keeper] +@include = %infra-asec +%description = %{keeper} %{seq}/%{num} +%tag = %{keeper}-%{seq} + +;;;-------------------------------------------------------------------------- +;;; Recovery keys. +;;; +;;; Name fragment parameters supplied. +;;; +;;; recov The label of the recovery key. + +[recovery] +@include = %infra-asec +%description = %{recov} +%tag = %{recov} + +;;;-------------------------------------------------------------------------- +;;; Archive integrity keys. +;;; +;;; These are user keys (so that users can verify archives with them). The +;;; properties here assume a parameter `label' is provided at generation +;;; time. + +[archive] +@include = %infra-aint %archive +%description = %{label} +%tag = %{label} + +[%archive] +@include = %asymmetric-integrity +acl-sign = $acl-%none + +;;;----- That's all, folks --------------------------------------------------