.\" -*-nroff-*- .\". .de hP .IP \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c .. .de VS .sp 1 .RS .nf .ft B .. .de VE .ft R .fi .RE .sp 1 .. .ie t \{\ . ds o \(bu . ds ss \s8\u . ds se \d\s0 . if \n(.g \{\ . fam P . \} .\} .el \{\ . ds o o . ds ss ^ . ds se .\} .TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" .SH "NAME" tripe-keys.conf \- configuration file format for tripe-keys .SH "DESCRIPTION" The .B tripe-keys.master or .B tripe-keys.conf file is a simple line-based configuration file read by .BR tripe-keys (1). Lines may be empty (consist only of whitespace), be comments (first non-whitespace character is .RB ` # ') or have the form .IP .I name .RB [ = ] .I value .PP A .I name consists of alphanumeric characters and hyphens. Values may contain substitutions, of the form .BI ${ name } \fR, which are replaced by the value assigned to .IR name . Many .IR name s have significance to the .B tripe-keys program: these are described below. Many have sensible defaults. .SS "The tripe-keys.master file" The client configuration file is built by applying substitutions to the .B tripe-keys.master file. The following tokens are substituted: .TP .B @MASTER-SEQUENCE@ The sequence number of the most recently-added signing key. .TP .B @HK-MASTER@ The fingerprint of the signing key identified by .BR @MASTER-SEQUENCE@ . .SS "Master repository parameters" .TP .I base-url The base URL of the key repository (usually with a trailing .RB ` / '). Typically, this will be something like .RB http://www.distorted.org.uk/vpn/ . No default. .TP .I repos-base The basename for the repository archive. Default is .BR tripe-keys.tar.gz . .TP .I sig-base The basename template for repository signatures. Default is .BR tripe-keys.sig- . The .RB ` ' portion, if any, is replaced by the sequence number of the key which made the signature. .TP .I repos-url The URL for the key repository tarball. Default is the concatenation of .I base-url and .IR repos-base . .TP .I sig-url The URL template for key repository signatures. Default is the concatenation of .I sig-url and .IR sig-base . .TP .I master-sequence The sequence number of the master authority's current signing key. No default. Usually set up automatically. .TP .I hk-master The fingerprint of the current master signing key. No default. Usually set up automatically. .SS "Crypto parameters" .TP .I kx Key-exchange algorithm to use. Either .B dh (integer Diffie-Hellman) or .B ec (elliptic curves). The default is .BR dh . .TP .I kx-param Options to pass to .B "key add" when generating the parameters key. Default depends on .I kx as follows. .TS center; | ci | ci | | lb | lb |. _ kx kx-param _ dh \-LS \-b2048 \-B256 ec \-Cnist-p256 _ .TE .TP .I kx-expire Expiry time for generated keys. Default is .BR "now + 1 day" . .TP .I hash Hashing algorithm to use. Default is .BR sha256 . .TP .I mac Message authentication algorithm to use. Default is .IB hash -hmac/ halfhashlen \fR, where .I halfhashlen is half of .IR hash 's output length. .TP .I mgf Mask-generation algorithm to use. Default is .IB hash -mgf \fR. This is probably a good choice. .TP .I cipher Symmetric encryption scheme to use. Default is .BR blowfish-cbc . .TP .I sig Signature scheme to use. Must be one of those recognized by .BR catsign (1). Default is .B dsa if .I kx is .BR dh , or .B ecdsa if .I kx is .BR ec . .TP .I sig-genalg Key-generation algorithm for signing key. Default depends on .I sig as follows. .TS center; | ci | ci | | lb | lb |. _ sig sig-genalg _ kcdsa dh dsa dsa rsapcs1 rsa rsapss rsa ecdsa ec eckcdsa ec _ .TE .TP .I sig-param Signature-key generation parameters. Default depends on .I sig-genalg as follows. .TS center; | ci | ci | | lb | lb |. _ sig-genalg sig-param _ dh \-LS \-b2048 \-B256 dsa \-b2048 \-B256 rsa \-b2048 ec \-Cnist-p256 _ .TE .TP .I sig-hash Hash function to use for making signatures. Default is .IR hash . .TP .I sig-fresh Oldest time we should consider a signed archive to be fresh. Default is .BR always , meaning that all signatures are fresh. .TP .I sig-expire Expiry time for master signing key. Default is .BR forever . .TP .I fingerprint-hash Hash function to use for key fingerprinting. Default is .IR hash . .SS "Master maintenance parameters" .TP .I base-dir Local base directory for the repository files. This probably ought to end in a .RB ` / ' character. No default. .TP .I repos-file Filename for local repository tarball. Default is the concatenation of .I base-dir and .IB repos-base . .TP .I sig-file Tempalte for repository signatures. Default is the concatenation of .I base-dir and .IR sig-base . .TP .I conf-file Filename for local repository configuration file. Default is .IB basedir /tripe-keys.conf \fR. .SH "SEE ALSO" .BR tripe (8), .BR tripe\-keys (8). .SH "AUTHOR" Mark Wooding,