[tripe] / doc / tripe-keys.8

.\" -*-nroff-*-
.\".
.de hP
.IP
\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
..
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  ds o \(bu
.  ds ss \s8\u
.  ds se \d\s0
.  if \n(.g \{\
.    fam P
.  \}
.\}
.el \{\
.  ds o o
.  ds ss ^
.  ds se
.\}
.TH tripe-keys 8 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.SH "NAME"
tripe-keys \- simple centralized key management for tripe
.SH "SYNOPSIS"
.B tripe-keys
.I operation
.IP "Operations supported:"
.BI "help \fR[" command \fR]
.br
.B "setup"
.br
.B "upload"
.br
.BI "generate " tag
.br
.B "update"
.br
.B "newmaster"
.br
.B "rebuild"
.br
.B "clean"
.SH "DESCRIPTION"
The
.B tripe-keys
script implements a very simple, centralized key management system for
.BR tripe (8).
It assumes that there is a central authority who knows all the public
keys for a private network.
.SS "Overview"
The
.B tripe-keys
program maintains a
.I repository
of public keys.  It provides a way for a master authority to publish the
repository and for clients to obtain authentic copies of it.
.PP
The repository is very simple: it consists of a directory
.B repos
full of public-key files, each named
.BI peer- tag .pub \fR.
.PP
The repository setup process creates a master signing key, stored in the
.B master
keyring, and a key describing the parameters to be used for generating
key-exchange keys, stored in
.BR repos/param .
.PP
The master authority has a configuration file
.BR tripe-keys.master ,
usually created by copying the template provided and editing it.  
.PP
The published repository consists of a tarball of the
.B repos
directory, containing the key-generation parameters and all the peers'
public keys, and a client configuration file
.BR tripe-keys.conf .
The tarball is signed by the master authority's signing key.
.PP
The client configuration file is essentially a copy of
.B tripe-keys.master
with some extra bits filled in: in particular, it contains the
fingerprint of the master signing key, so that the client can be sure
it's checking the right key.
.PP
A peer starts by downloading a copy of
.B tripe-keys.conf
and then making sure it's authentic.  (This is one of the tricky bits.
The other is getting public keys back to the master authority.)  This is
enough for the peer to fetch a copy of the repository, verify the
signature, and assemble a public keyring for the other peers in the
network.
.PP
In fact, it's not
.I quite
that simple.  The system allows new signing keys to replace old ones, so
in fact the publication process signs the repository archive using a
collection of keys.  Each signing key is given a sequence number.  The
client configuration file contains the sequence number of the master
signing key whose fingerprint it knows.  During an update, the right
signature is fetched and checked; if there's a new master key, then the
.B tripe-keys.conf
in the new repository archive will have its sequence number and
fingerprint: the update process will replace its configuration file with
the new version, and the peer will use the new key from then on.
.SS "Options"
The
.B tripe-keys
program accepts some standard command-line options:
.TP
.B "\-h, \-\-help"
Print general help about
.B tripe-keys
to standard output and exit successfully.
.TP
.B "\-v, \-\-version"
Print the version number of
.B tripe-keys
to standard output and exit successfully.
.TP
.B "\-u, \-\-usage"
Print brief usage about
.B tripe-keys
to standard output and exit successfully.
.SS "Subcommands"
.TP
.BI "help \fR[" command \fR]
With no arguments, shows help, as for the
.B \-\-help
option.  With an argument, shows help about that
.IR command .
.TP
.B "setup"
Constructs a new repository and makes a signing key (as for 
.BR newmaster )
and key-exchange parameters.  Fails if
.B repos
already exists.
.TP
.B "upload"
Build a repository archive, sign it with the active signing keys, and
make a
.B tripe-keys.conf
file.  Copy the results to the places named by
.IR repos-file ,
.IR sig-file ,
and
.I conf-file
respectively.  (This command is currently misnamed.  It only copies
stuff about the local filesystem.  Some day it'll really upload stuff.)
.TP
.BI "generate " tag
Generate a peer key for the peer named
.IR tag .
The private key ends up in
.BR keyring ;
the public key is written to
.BI peer- tag .pub
in the
.I current
directory.
.TP
.B update
Fetches a new copy of the repository archive and its signature.  It
unpacks the archive in a temporary directory, and checks the enclosed
master public key against the fingerprint in the configuration file.  It
then verifies the signature on the archive using this public key.  If
all is well, it replaces the current
.B repos
directory with the version in the new archive, and if necessary it
replaces the current configuration file with the new one in the
archive.  It then does a 
.B rebuild
to construct a new
.B keyring.pub
file.
.TP
.B newmaster
Generates a new master signing key.  The old master key is not deleted.
.TP
.B rebuild
Rebuilds the public keyring
.B keyring.pub
from the public keys in the
.B repos
directory.
.TP
.B clean
Deletes everything which
.B tripe-keys
might have written to a directory.  In particular, it deletes
.BR repos ,
.BR tmp ,
.BR master ,
.BR keyring ,
.BR keying.pub ,
and their associated
.B .old
files.
.SH "SEE ALSO"
.BR key (1),
.BR tripe\-keys.conf (5),
.BR tripe (8).
.SH "AUTHOR"
Mark Wooding, <mdw@distorted.org.uk>
Commit	Line	Data
060ca767	1	.\" --nroff--
	2	.\".
	3	.de hP
	4	.IP
	5	\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
	6	..
	7	.de VS
	8	.sp 1
	9	.RS
	10	.nf
	11	.ft B
	12	..
	13	.de VE
	14	.ft R
	15	.fi
	16	.RE
	17	.sp 1
	18	..
	19	.ie t \{\
	20	. ds o \(bu
	21	. ds ss \s8\u
	22	. ds se \d\s0
	23	. if \n(.g \{\
	24	. fam P
	25	. \}
	26	.\}
	27	.el \{\
	28	. ds o o
	29	. ds ss ^
	30	. ds se
	31	.\}
	32	.TH tripe-keys 8 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
	33	.SH "NAME"
	34	tripe-keys \- simple centralized key management for tripe
	35	.SH "SYNOPSIS"
	36	.B tripe-keys
	37	.I operation
	38	.IP "Operations supported:"
c77687d5	39	.BI "help \fR[" command \fR]
	40	.br
	41	.B "setup"
	42	.br
	43	.B "upload"
060ca767	44	.br
	45	.BI "generate " tag
	46	.br
	47	.B "update"
	48	.br
c77687d5	49	.B "newmaster"
060ca767	50	.br
c77687d5	51	.B "rebuild"
060ca767	52	.br
c77687d5	53	.B "clean"
060ca767	54	.SH "DESCRIPTION"
	55	The
	56	.B tripe-keys
	57	script implements a very simple, centralized key management system for
	58	.BR tripe (8).
	59	It assumes that there is a central authority who knows all the public
	60	keys for a private network.
	61	.SS "Overview"
	62	The
	63	.B tripe-keys
	64	program maintains a
	65	.I repository
	66	of public keys. It provides a way for a master authority to publish the
	67	repository and for clients to obtain authentic copies of it.
	68	.PP
	69	The repository is very simple: it consists of a directory
	70	.B repos
	71	full of public-key files, each named
	72	.BI peer- tag .pub \fR.
	73	.PP
	74	The repository setup process creates a master signing key, stored in the
	75	.B master
	76	keyring, and a key describing the parameters to be used for generating
	77	key-exchange keys, stored in
	78	.BR repos/param .
	79	.PP
	80	The master authority has a configuration file
	81	.BR tripe-keys.master ,
	82	usually created by copying the template provided and editing it.
	83	.PP
	84	The published repository consists of a tarball of the
	85	.B repos
	86	directory, containing the key-generation parameters and all the peers'
	87	public keys, and a client configuration file
	88	.BR tripe-keys.conf .
	89	The tarball is signed by the master authority's signing key.
	90	.PP
	91	The client configuration file is essentially a copy of
	92	.B tripe-keys.master
	93	with some extra bits filled in: in particular, it contains the
	94	fingerprint of the master signing key, so that the client can be sure
	95	it's checking the right key.
	96	.PP
	97	A peer starts by downloading a copy of
	98	.B tripe-keys.conf
	99	and then making sure it's authentic. (This is one of the tricky bits.
	100	The other is getting public keys back to the master authority.) This is
	101	enough for the peer to fetch a copy of the repository, verify the
	102	signature, and assemble a public keyring for the other peers in the
	103	network.
	104	.PP
	105	In fact, it's not
	106	.I quite
	107	that simple. The system allows new signing keys to replace old ones, so
	108	in fact the publication process signs the repository archive using a
	109	collection of keys. Each signing key is given a sequence number. The
	110	client configuration file contains the sequence number of the master
	111	signing key whose fingerprint it knows. During an update, the right
	112	signature is fetched and checked; if there's a new master key, then the
	113	.B tripe-keys.conf
	114	in the new repository archive will have its sequence number and
	115	fingerprint: the update process will replace its configuration file with
	116	the new version, and the peer will use the new key from then on.
	117	.SS "Options"
118	The
119	.B tripe-keys
120	program accepts some standard command-line options:
121	.TP
122	.B "\-h, \-\-help"
123	Print general help about
124	.B tripe-keys
125	to standard output and exit successfully.
126	.TP
127	.B "\-v, \-\-version"
128	Print the version number of
129	.B tripe-keys
130	to standard output and exit successfully.
131	.TP
132	.B "\-u, \-\-usage"
133	Print brief usage about
134	.B tripe-keys
135	to standard output and exit successfully.
136	.SS "Subcommands"
137	.TP
c77687d5	138	.BI "help \fR[" command \fR]
060ca767	139	With no arguments, shows help, as for the
	140	.B \-\-help
	141	option. With an argument, shows help about that
	142	.IR command .
	143	.TP
	144	.B "setup"
	145	Constructs a new repository and makes a signing key (as for
	146	.BR newmaster )
	147	and key-exchange parameters. Fails if
	148	.B repos
	149	already exists.
	150	.TP
	151	.B "upload"
	152	Build a repository archive, sign it with the active signing keys, and
	153	make a
	154	.B tripe-keys.conf
	155	file. Copy the results to the places named by
	156	.IR repos-file ,
	157	.IR sig-file ,
	158	and
	159	.I conf-file
	160	respectively. (This command is currently misnamed. It only copies
	161	stuff about the local filesystem. Some day it'll really upload stuff.)
	162	.TP
	163	.BI "generate " tag
	164	Generate a peer key for the peer named
	165	.IR tag .
	166	The private key ends up in
	167	.BR keyring ;
	168	the public key is written to
	169	.BI peer- tag .pub
	170	in the
	171	.I current
	172	directory.
	173	.TP
	174	.B update
	175	Fetches a new copy of the repository archive and its signature. It
	176	unpacks the archive in a temporary directory, and checks the enclosed
	177	master public key against the fingerprint in the configuration file. It
	178	then verifies the signature on the archive using this public key. If
	179	all is well, it replaces the current
	180	.B repos
	181	directory with the version in the new archive, and if necessary it
	182	replaces the current configuration file with the new one in the
	183	archive. It then does a
	184	.B rebuild
	185	to construct a new
	186	.B keyring.pub
	187	file.
	188	.TP
	189	.B newmaster
	190	Generates a new master signing key. The old master key is not deleted.
	191	.TP
	192	.B rebuild
	193	Rebuilds the public keyring
	194	.B keyring.pub
	195	from the public keys in the
	196	.B repos
	197	directory.
	198	.TP
	199	.B clean
	200	Deletes everything which
	201	.B tripe-keys
	202	might have written to a directory. In particular, it deletes
203	.BR repos ,
204	.BR tmp ,
205	.BR master ,
206	.BR keyring ,
207	.BR keying.pub ,
208	and their associated
209	.B .old
210	files.
211	.SH "SEE ALSO"
212	.BR key (1),
213	.BR tripe\-keys.conf (5),
214	.BR tripe (8).
215	.SH "AUTHOR"
216	Mark Wooding, <mdw@distorted.org.uk>