X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/bdbd93268bb289994126ec46cbf4b66461579b92..fc916a0942e6ef8f63aefb96119d0e4fd7c7efbb:/keys/tripe-keys.conf.5.in?ds=sidebyside diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in new file mode 100644 index 00000000..c6e0f257 --- /dev/null +++ b/keys/tripe-keys.conf.5.in @@ -0,0 +1,294 @@ +.\" -*-nroff-*- +.\". +.\" Manual for the key-management configuration files +.\" +.\" (c) 2008 Straylight/Edgeware +.\" +. +.\"----- Licensing notice --------------------------------------------------- +.\" +.\" This file is part of Trivial IP Encryption (TrIPE). +.\" +.\" TrIPE is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" TrIPE is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with TrIPE; if not, write to the Free Software Foundation, +.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +. +.\"-------------------------------------------------------------------------- +.so ../defs.man.in \" @@@PRE@@@ +. +.\"-------------------------------------------------------------------------- +.TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" +. +.\"-------------------------------------------------------------------------- +.SH "NAME" +. +tripe-keys.conf \- configuration file format for tripe-keys +. +.\"-------------------------------------------------------------------------- +.SH "DESCRIPTION" +. +The +.B tripe-keys.master +or +.B tripe-keys.conf +file is a simple line-based configuration file read by +.BR tripe-keys (1). +Lines may be empty (consist only of whitespace), be comments (first +non-whitespace character is +.RB ` # ') +or have the form +.IP +.I name +.RB [ = ] +.I value +.PP +A +.I name +consists of alphanumeric characters and hyphens. Values may contain +substitutions, of the form +.BI ${ name } \fR, +which are replaced by the value assigned to +.IR name . +Many +.IR name s +have significance to the +.B tripe-keys +program: these are described below. Many have sensible defaults. +.SS "The tripe-keys.master file" +The client configuration file is built by applying substitutions to the +.B tripe-keys.master +file. The following tokens are substituted: +.TP +.B @MASTER-SEQUENCE@ +The sequence number of the most recently-added signing key. +.TP +.B @HK-MASTER@ +The fingerprint of the signing key identified by +.BR @MASTER-SEQUENCE@ . +.SS "Master repository parameters" +.TP +.I base-url +The base URL of the key repository (usually with a trailing +.RB ` / '). +Typically, this will be something like +.RB http://www.distorted.org.uk/vpn/ . +No default. +.TP +.I repos-base +The basename for the repository archive. Default is +.BR tripe-keys.tar.gz . +.TP +.I sig-base +The basename template for repository signatures. Default is +.BR tripe-keys.sig- . +The +.RB ` ' +portion, if any, is replaced by the sequence number of the key which +made the signature. +.TP +.I repos-url +The URL for the key repository tarball. Default is the concatenation of +.I base-url +and +.IR repos-base . +.TP +.I sig-url +The URL template for key repository signatures. Default is the +concatenation of +.I base-url +and +.IR sig-base . +.TP +.I master-sequence +The sequence number of the master authority's current signing key. No +default. Usually set up automatically. +.TP +.I master-keygen-flags +Additional options for generating master keys. Default is +.RB ` -l '. +.TP +.I hk-master +The fingerprint of the current master signing key. No default. Usually +set up automatically. +.TP +.I upload-hook +A shell command to run by +.B tripe-keys upload +after it has successfully written the +.I repos-file +and +.IR sig-file s. +Default is +.B ": run upload hook" +which does nothing. +.SS "Crypto parameters" +.TP +.I kx +Key-exchange algorithm to use. Either +.B dh +(integer Diffie-Hellman) +or +.B ec +(elliptic curves). The default is +.BR dh . +.TP +.I kx-param +Options to pass to +.B "key add" +when generating the parameters key. Default depends on +.I kx +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +kx kx-param +_ +dh \-LS \-b2048 \-B256 +ec \-Cnist-p256 +_ +.TE +.TP +.I kx-expire +Expiry time for generated keys. Default is +.BR "now + 1 day" . +.TP +.I hash +Hashing algorithm to use. Default is +.BR sha256 . +.TP +.I mac +Message authentication algorithm to use. Default is +.IB hash -hmac/ halfhashlen \fR, +where +.I halfhashlen +is half of +.IR hash 's +output length. +.TP +.I mgf +Mask-generation algorithm to use. Default is +.IB hash -mgf \fR. +This is probably a good choice. +.TP +.I cipher +Symmetric encryption scheme to use. Default is +.BR blowfish-cbc . +.TP +.I sig +Signature scheme to use. Must be one of those recognized by +.BR catsign (1). +Default is +.B dsa +if +.I kx +is +.BR dh , +or +.B ecdsa +if +.I kx +is +.BR ec . +.TP +.I sig-genalg +Key-generation algorithm for signing key. Default depends on +.I sig +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +sig sig-genalg +_ +kcdsa dh +dsa dsa +rsapcs1 rsa +rsapss rsa +ecdsa ec +eckcdsa ec +_ +.TE +.TP +.I sig-param +Signature-key generation parameters. Default depends on +.I sig-genalg +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +sig-genalg sig-param +_ +dh \-LS \-b2048 \-B256 +dsa \-b2048 \-B256 +rsa \-b2048 +ec \-Cnist-p256 +_ +.TE +.TP +.I sig-hash +Hash function to use for making signatures. Default is +.IR hash . +.TP +.I sig-fresh +Oldest time we should consider a signed archive to be fresh. Default is +.BR always , +meaning that all signatures are fresh. +.TP +.I sig-expire +Expiry time for master signing key. Default is +.BR forever . +.TP +.I fingerprint-hash +Hash function to use for key fingerprinting. Default is +.IR hash . +.SS "Master maintenance parameters" +.TP +.I base-dir +Local base directory for the repository files. This probably ought to +end in a +.RB ` / ' +character. No default. +.TP +.I repos-file +Filename for local repository tarball. Default is the concatenation of +.I base-dir +and +.IB repos-base . +.TP +.I sig-file +Tempalte for repository signatures. Default is the concatenation of +.I base-dir +and +.IR sig-base . +.TP +.I conf-file +Filename for local repository configuration file. Default is +.IB basedir /tripe-keys.conf \fR. +. +.\"-------------------------------------------------------------------------- +.SH "SEE ALSO" +. +.BR tripe (8), +.BR tripe\-keys (8). +. +.\"-------------------------------------------------------------------------- +.SH "AUTHOR" +. +Mark Wooding, +. +.\"----- That's all, folks --------------------------------------------------