('conf-file', '${base-dir}tripe-keys.conf'),
('upload-hook', ': run upload hook'),
('kx', 'dh'),
- ('kx-param', lambda: {'dh': '-LS -b2048 -B256',
+ ('kx-param', lambda: {'dh': '-LS -b3072 -B256',
'ec': '-Cnist-p256'}[conf['kx']]),
('kx-expire', 'now + 1 year'),
- ('cipher', 'blowfish-cbc'),
+ ('cipher', 'rijndael-cbc'),
('hash', 'sha256'),
('master-keygen-flags', '-l'),
('mgf', '${hash}-mgf'),
'rsapss': 'rsa',
'ecdsa': 'ec',
'eckcdsa': 'ec'}[conf['sig']]),
- ('sig-param', lambda: {'dh': '-LS -b2048 -B256',
- 'dsa': '-b2048 -B256',
+ ('sig-param', lambda: {'dh': '-LS -b3072 -B256',
+ 'dsa': '-b3072 -B256',
'ec': '-Cnist-p256',
- 'rsa': '-b2048'}[conf['sig-genalg']]),
+ 'rsa': '-b3072'}[conf['sig-genalg']]),
('sig-hash', '${hash}'),
('sig-expire', 'forever'),
('fingerprint-hash', '${hash}')]:
-# tripe-keys configuration file
-#
-# see tripe-keys.conf(5) for full details
+### -*-conf-*-
+###
+### tripe-keys configuration file
+###
+### see tripe-keys.conf(5) for full details
-### File locations (required)
+###--------------------------------------------------------------------------
+### File locations (required).
-# The base URL for the repository files. Include the trailing slash if
-# necessary.
+## The base URL for the repository files. Include the trailing slash if
+## necessary.
# base-url = http://some.server.somewhere/blah/
-# The local directory name for the repository files. Again, include the
-# trailing slash if necessary.
+## The local directory name for the repository files. Again, include the
+## trailing slash if necessary.
# base-dir = /some/directory/blah/
-### Crypto parameters
+###--------------------------------------------------------------------------
+### Crypto parameters.
-# The key-exchange type. May be `dh' or `ec'.
+## The key-exchange type. May be `dh' or `ec'.
# kx = dh
-# Key-generation parameters for key exchange group.
-# kx-param = -LS -b2048 -B256
+## Key-generation parameters for key exchange group.
+# kx-param = -LS -b3072 -B256
+# kx-param = -Pnist-p256
-# Expiry time for peer key-exchange keys.
-# kx-expire = now + 1 day
+## Expiry time for peer key-exchange keys.
+# kx-expire = now + 1 year
-# Symmetric encryption scheme to use.
-# cipher = blowfish-cbc
+## Symmetric encryption scheme to use.
+# cipher = rijndael-cbc
-# Hash function to use. (We derive the MGF and MAC from this.)
+## Hash function to use. (We derive the MGF and MAC from this.)
# hash = sha256
-# Signature scheme to use for signing/verifying repository archives.
+## Signature scheme to use for signing/verifying repository archives.
# sig = dsa
+# sig = ecdsa
-# How recently an archive must have been signed to be valid.
+## How recently an archive must have been signed to be valid.
# sig-fresh = always
-# When the signing key expires.
+## When the master signing key expires.
# sig-expire = forever
+###--------------------------------------------------------------------------
### Master key integrity
-# Since the master public key is contained within the repository, we must
-# check its integrity: therefore we record its sequence number and
-# fingerprint here. These are filled in automatically by
-# `tripe-keys upload'. Leave them as they are.
+## Since the master public key is contained within the repository, we must
+## check its integrity: therefore we record its sequence number and
+## fingerprint here. These are filled in automatically by `tripe-keys
+## upload'. Leave them as they are.
master-sequence = @MASTER-SEQUENCE@
hk-master = @HK-MASTER@