keys/tripe-keys.master: Include a nontrivial `sig-fresh' example.

[tripe] / keys / tripe-keys.conf.5.in

diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in
index 887faf67090936393b67012805e9141ff157890d..4fc0485a23635590caeba41679e94af52d756291 100644 (file)
--- a/keys/tripe-keys.conf.5.in
+++ b/keys/tripe-keys.conf.5.in
@@ -27,7 +27,7 @@
 .so ../common/defs.man \" @@@PRE@@@
 .
 .\"--------------------------------------------------------------------------
 .so ../common/defs.man \" @@@PRE@@@
 .
 .\"--------------------------------------------------------------------------

-.TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
+.TH tripe-keys.conf 5tripe "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"

 .
 .\"--------------------------------------------------------------------------
 .SH "NAME"
 .
 .\"--------------------------------------------------------------------------
 .SH "NAME"


@@ -117,6 +117,13 @@ default.  Usually set up automatically.
 Additional options for generating master keys.  Default is
 .RB ` -l '.
 .TP
 Additional options for generating master keys.  Default is
 .RB ` -l '.
 .TP

+.I master-attrs
+Additional attributes to set on the master key,
+as
+.IB key = value
+pairs separated by spaces.
+Default is empty.
+.TP

 .I hk-master
 The fingerprint of the current master signing key.  No default.  Usually
 set up automatically.
 .I hk-master
 The fingerprint of the current master signing key.  No default.  Usually
 set up automatically.


@@ -141,6 +148,51 @@ or
 .B ec
 (elliptic curves).  The default is
 .BR dh .
 .B ec
 (elliptic curves).  The default is
 .BR dh .

+.ne 9
+.TP
+.I kx-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating keys.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx     kx-genalg
+_
+dh     dh
+ec     ec
+x25519 x25519
+x448   x448
+_
+.TE
+.ne 9
+.TP
+.I kx-param-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating the parameters key.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx     kx-param-genalg
+_
+dh     dh-param
+ec     ec-param
+x25519 empty
+x448   empty
+_
+.TE
+.ne 9

 .TP
 .I kx-param
 Options to pass to
 .TP
 .I kx-param
 Options to pass to


@@ -157,6 +209,32 @@ kx kx-param
 _
 dh     \-LS \-b3072 \-B256
 ec     \-Cnist-p256
 _
 dh     \-LS \-b3072 \-B256
 ec     \-Cnist-p256

+x25519 \fInone
+x448   \fInone
+_
+.TE
+.ne 9
+.TP
+.I kx-attrs
+Additional attributes to set on the parameters
+(and therefore copied to peer keys),
+as
+.IB key = value
+pairs separated by spaces.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx     kx-attrs
+_
+dh     serialization=constlen
+ec     serialization=constlen
+x25519 \fIempty
+x448   \fIempty

 _
 .TE
 .TP
 _
 .TE
 .TP


@@ -168,39 +246,81 @@ Expiry time for generated keys.  Default is
 Hashing algorithm to use.  Default is
 .BR sha256 .
 .TP
 Hashing algorithm to use.  Default is
 .BR sha256 .
 .TP

+.I bulk
+The bulk crypto transform to use.
+Default is
+.BR iiv .
+.ne 8
+.TP

 .I mac
 .I mac

-Message authentication algorithm to use.  Default is
-.IB hash -hmac/ halfhashlen \fR,
-where
+Message authentication algorithm to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk   mac
+_
+v0     \fIhash\fB-hmac/\fIhalfhashlen
+iiv    \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
+naclbox        poly1305/128
+_
+.TE
+.IP
+(In the above,

 .I halfhashlen
 is half of
 .IR hash 's
 .I halfhashlen
 is half of
 .IR hash 's

-output length.
+output length.)

 .TP
 .I mgf
 Mask-generation algorithm to use.  Default is
 .IB hash -mgf \fR.
 This is probably a good choice.
 .TP
 .I mgf
 Mask-generation algorithm to use.  Default is
 .IB hash -mgf \fR.
 This is probably a good choice.

+.ne 7

 .TP
 .I cipher
 .TP
 .I cipher

-Symmetric encryption scheme to use.  Default is
-.BR blowfish-cbc .
+Symmetric encryption scheme to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk   cipher
+_
+v0     rijndael-cbc
+iiv    rijndael-cbc
+naclbox        chacha20
+_
+.TE
+.ne 8

 .TP
 .I sig
 Signature scheme to use.  Must be one of those recognized by
 .BR catsign (1).
 .TP
 .I sig
 Signature scheme to use.  Must be one of those recognized by
 .BR catsign (1).

-Default is
-.B dsa
-if
+Default depends on

 .I kx
 .I kx

-is
-.BR dh ,
-or
-.B ecdsa
-if
-.I kx
-is
-.BR ec .
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx     sig
+_
+dh     dsa
+ec     ecdsa
+x25519 ed25519
+x448   ed448
+_
+.TE
+.ne 12

 .TP
 .I sig-genalg
 Key-generation algorithm for signing key.  Default depends on
 .TP
 .I sig-genalg
 Key-generation algorithm for signing key.  Default depends on


@@ -219,8 +339,11 @@ rsapcs1    rsa
 rsapss rsa
 ecdsa  ec
 eckcdsa        ec
 rsapss rsa
 ecdsa  ec
 eckcdsa        ec

+ed25519        ed25519
+ed448  ed448

 _
 .TE
 _
 .TE

+.ne 10

 .TP
 .I sig-param
 Signature-key generation parameters.  Default depends on
 .TP
 .I sig-param
 Signature-key generation parameters.  Default depends on


@@ -237,6 +360,8 @@ dh  \-LS \-b3072 \-B256
 dsa    \-b3072 \-B256
 rsa    \-b3072
 ec     \-Cnist-p256
 dsa    \-b3072 \-B256
 rsa    \-b3072
 ec     \-Cnist-p256

+ed25519        \fInone
+ed448  \fInone

 _
 .TE
 .TP
 _
 .TE
 .TP


@@ -262,7 +387,9 @@ Hash function to use for key fingerprinting.  Default is
 Local base directory for the repository files.  This probably ought to
 end in a
 .RB ` / '
 Local base directory for the repository files.  This probably ought to
 end in a
 .RB ` / '

-character.  No default.
+character.  Unexpected files in this directory will be removed by the
+.B tripe-keys upload
+command.  No default.

 .TP
 .I repos-file
 Filename for local repository tarball.  Default is the concatenation of
 .TP
 .I repos-file
 Filename for local repository tarball.  Default is the concatenation of


@@ -279,6 +406,13 @@ and
 .I conf-file
 Filename for local repository configuration file.  Default is
 .IB basedir /tripe-keys.conf \fR.
 .I conf-file
 Filename for local repository configuration file.  Default is
 .IB basedir /tripe-keys.conf \fR.

+.TP
+.I kx-warn-days
+The
+.B "tripe-keys check"
+command will warn about keys which will in less than
+.I kx-warn-days
+days.  Default is 28.

 .
 .\"--------------------------------------------------------------------------
 .SH "SEE ALSO"
 .
 .\"--------------------------------------------------------------------------
 .SH "SEE ALSO"