X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/e99aedcf9373b3305c32e510c086bf3357b4736a..f220a1d75f50cea337908a392bf7f01b573edc97:/keys/tripe-keys.conf.5.in diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in index 887faf67..4fc0485a 100644 --- a/keys/tripe-keys.conf.5.in +++ b/keys/tripe-keys.conf.5.in @@ -27,7 +27,7 @@ .so ../common/defs.man \" @@@PRE@@@ . .\"-------------------------------------------------------------------------- -.TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" +.TH tripe-keys.conf 5tripe "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" . .\"-------------------------------------------------------------------------- .SH "NAME" @@ -117,6 +117,13 @@ default. Usually set up automatically. Additional options for generating master keys. Default is .RB ` -l '. .TP +.I master-attrs +Additional attributes to set on the master key, +as +.IB key = value +pairs separated by spaces. +Default is empty. +.TP .I hk-master The fingerprint of the current master signing key. No default. Usually set up automatically. @@ -141,6 +148,51 @@ or .B ec (elliptic curves). The default is .BR dh . +.ne 9 +.TP +.I kx-genalg +Key generation algorithm name to pass to +.B "key add" +when generating keys. +Default depends on +.I kx +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +kx kx-genalg +_ +dh dh +ec ec +x25519 x25519 +x448 x448 +_ +.TE +.ne 9 +.TP +.I kx-param-genalg +Key generation algorithm name to pass to +.B "key add" +when generating the parameters key. +Default depends on +.I kx +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +kx kx-param-genalg +_ +dh dh-param +ec ec-param +x25519 empty +x448 empty +_ +.TE +.ne 9 .TP .I kx-param Options to pass to @@ -157,6 +209,32 @@ kx kx-param _ dh \-LS \-b3072 \-B256 ec \-Cnist-p256 +x25519 \fInone +x448 \fInone +_ +.TE +.ne 9 +.TP +.I kx-attrs +Additional attributes to set on the parameters +(and therefore copied to peer keys), +as +.IB key = value +pairs separated by spaces. +Default depends on +.I kx +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +kx kx-attrs +_ +dh serialization=constlen +ec serialization=constlen +x25519 \fIempty +x448 \fIempty _ .TE .TP @@ -168,39 +246,81 @@ Expiry time for generated keys. Default is Hashing algorithm to use. Default is .BR sha256 . .TP +.I bulk +The bulk crypto transform to use. +Default is +.BR iiv . +.ne 8 +.TP .I mac -Message authentication algorithm to use. Default is -.IB hash -hmac/ halfhashlen \fR, -where +Message authentication algorithm to use. +Default depends on +.I bulk +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +bulk mac +_ +v0 \fIhash\fB-hmac/\fIhalfhashlen +iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc +naclbox poly1305/128 +_ +.TE +.IP +(In the above, .I halfhashlen is half of .IR hash 's -output length. +output length.) .TP .I mgf Mask-generation algorithm to use. Default is .IB hash -mgf \fR. This is probably a good choice. +.ne 7 .TP .I cipher -Symmetric encryption scheme to use. Default is -.BR blowfish-cbc . +Symmetric encryption scheme to use. +Default depends on +.I bulk +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +bulk cipher +_ +v0 rijndael-cbc +iiv rijndael-cbc +naclbox chacha20 +_ +.TE +.ne 8 .TP .I sig Signature scheme to use. Must be one of those recognized by .BR catsign (1). -Default is -.B dsa -if +Default depends on .I kx -is -.BR dh , -or -.B ecdsa -if -.I kx -is -.BR ec . +as follows. +.TS +center; +| ci | ci | +| lb | lb |. +_ +kx sig +_ +dh dsa +ec ecdsa +x25519 ed25519 +x448 ed448 +_ +.TE +.ne 12 .TP .I sig-genalg Key-generation algorithm for signing key. Default depends on @@ -219,8 +339,11 @@ rsapcs1 rsa rsapss rsa ecdsa ec eckcdsa ec +ed25519 ed25519 +ed448 ed448 _ .TE +.ne 10 .TP .I sig-param Signature-key generation parameters. Default depends on @@ -237,6 +360,8 @@ dh \-LS \-b3072 \-B256 dsa \-b3072 \-B256 rsa \-b3072 ec \-Cnist-p256 +ed25519 \fInone +ed448 \fInone _ .TE .TP @@ -262,7 +387,9 @@ Hash function to use for key fingerprinting. Default is Local base directory for the repository files. This probably ought to end in a .RB ` / ' -character. No default. +character. Unexpected files in this directory will be removed by the +.B tripe-keys upload +command. No default. .TP .I repos-file Filename for local repository tarball. Default is the concatenation of @@ -279,6 +406,13 @@ and .I conf-file Filename for local repository configuration file. Default is .IB basedir /tripe-keys.conf \fR. +.TP +.I kx-warn-days +The +.B "tripe-keys check" +command will warn about keys which will in less than +.I kx-warn-days +days. Default is 28. . .\"-------------------------------------------------------------------------- .SH "SEE ALSO"