--- /dev/null
+.\" -*-nroff-*-
+.\".
+.de hP
+.IP
+\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
+..
+.de VS
+.sp 1
+.RS
+.nf
+.ft B
+..
+.de VE
+.ft R
+.fi
+.RE
+.sp 1
+..
+.ie t \{\
+. ds o \(bu
+. ds ss \s8\u
+. ds se \d\s0
+. if \n(.g \{\
+. fam P
+. \}
+.\}
+.el \{\
+. ds o o
+. ds ss ^
+. ds se
+.\}
+.TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
+.SH "NAME"
+tripe-keys.conf \- configuration file format for tripe-keys
+.SH "DESCRIPTION"
+The
+.B tripe-keys.master
+or
+.B tripe-keys.conf
+file is a simple line-based configuration file read by
+.BR tripe-keys (1).
+Lines may be empty (consist only of whitespace), be comments (first
+non-whitespace character is
+.RB ` # ')
+or have the form
+.IP
+.I name
+.RB [ = ]
+.I value
+.PP
+A
+.I name
+consists of alphanumeric characters and hyphens. Values may contain
+substitutions, of the form
+.BI ${ name } \fR,
+which are replaced by the value assigned to
+.IR name .
+Many
+.IR name s
+have significance to the
+.B tripe-keys
+program: these are described below. Many have sensible defaults.
+.SS "The tripe-keys.master file"
+The client configuration file is built by applying substitutions to the
+.B tripe-keys.master
+file. The following tokens are substituted:
+.TP
+.B @MASTER-SEQUENCE@
+The sequence number of the most recently-added signing key.
+.TP
+.B @HK-MASTER@
+The fingerprint of the signing key identified by
+.BR @MASTER-SEQUENCE@ .
+.SS "Master repository parameters"
+.TP
+.I base-url
+The base URL of the key repository (usually with a trailing
+.RB ` / ').
+Typically, this will be something like
+.RB http://www.distorted.org.uk/vpn/ .
+No default.
+.TP
+.I repos-base
+The basename for the repository archive. Default is
+.BR tripe-keys.tar.gz .
+.TP
+.I sig-base
+The basename template for repository signatures. Default is
+.BR tripe-keys.sig-<SEQ> .
+The
+.RB ` <SEQ> '
+portion, if any, is replaced by the sequence number of the key which
+made the signature.
+.TP
+.I repos-url
+The URL for the key repository tarball. Default is the concatenation of
+.I base-url
+and
+.IR repos-base .
+.TP
+.I sig-url
+The URL template for key repository signatures. Default is the
+concatenation of
+.I sig-url
+and
+.IR sig-base .
+.TP
+.I master-sequence
+The sequence number of the master authority's current signing key. No
+default. Usually set up automatically.
+.TP
+.I hk-master
+The fingerprint of the current master signing key. No default. Usually
+set up automatically.
+.SS "Crypto parameters"
+.TP
+.I kx
+Key-exchange algorithm to use. Either
+.B dh
+(integer Diffie-Hellman)
+or
+.B ec
+(elliptic curves). The default is
+.BR dh .
+.TP
+.I kx-param
+Options to pass to
+.B "key add"
+when generating the parameters key. Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-param
+_
+dh \-LS \-b2048 \-B256
+ec \-Cnist-p256
+_
+.TE
+.TP
+.I kx-expire
+Expiry time for generated keys. Default is
+.BR "now + 1 day" .
+.TP
+.I hash
+Hashing algorithm to use. Default is
+.BR sha256 .
+.TP
+.I mac
+Message authentication algorithm to use. Default is
+.IB hash -hmac/ halfhashlen \fR,
+where
+.I halfhashlen
+is half of
+.IR hash 's
+output length.
+.TP
+.I mgf
+Mask-generation algorithm to use. Default is
+.IB hash -mgf \fR.
+This is probably a good choice.
+.TP
+.I cipher
+Symmetric encryption scheme to use. Default is
+.BR blowfish-cbc .
+.TP
+.I sig
+Signature scheme to use. Must be one of those recognized by
+.BR catsign (1).
+Default is
+.B dsa
+if
+.I kx
+is
+.BR dh ,
+or
+.B ecdsa
+if
+.I kx
+is
+.BR ec .
+.TP
+.I sig-genalg
+Key-generation algorithm for signing key. Default depends on
+.I sig
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+sig sig-genalg
+_
+kcdsa dh
+dsa dsa
+rsapcs1 rsa
+rsapss rsa
+ecdsa ec
+eckcdsa ec
+_
+.TE
+.TP
+.I sig-param
+Signature-key generation parameters. Default depends on
+.I sig-genalg
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+sig-genalg sig-param
+_
+dh \-LS \-b2048 \-B256
+dsa \-b2048 \-B256
+rsa \-b2048
+ec \-Cnist-p256
+_
+.TE
+.TP
+.I sig-hash
+Hash function to use for making signatures. Default is
+.IR hash .
+.TP
+.I sig-fresh
+Oldest time we should consider a signed archive to be fresh. Default is
+.BR always ,
+meaning that all signatures are fresh.
+.TP
+.I sig-expire
+Expiry time for master signing key. Default is
+.BR forever .
+.TP
+.I fingerprint-hash
+Hash function to use for key fingerprinting. Default is
+.IR hash .
+.SS "Master maintenance parameters"
+.TP
+.I base-dir
+Local base directory for the repository files. This probably ought to
+end in a
+.RB ` / '
+character. No default.
+.TP
+.I repos-file
+Filename for local repository tarball. Default is the concatenation of
+.I base-dir
+and
+.IB repos-base .
+.TP
+.I sig-file
+Tempalte for repository signatures. Default is the concatenation of
+.I base-dir
+and
+.IR sig-base .
+.TP
+.I conf-file
+Filename for local repository configuration file. Default is
+.IB basedir /tripe-keys.conf \fR.
+.SH "SEE ALSO"
+.BR tripe (8),
+.BR tripe\-keys (8).
+.SH "AUTHOR"
+Mark Wooding, <mdw@distorted.org.uk>
~mdw / tripe / blobdiff