~mdw
/
tripe
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
server/, keys/: Add bulk crypto transform based on NaCl `crypto_secretbox'.
[tripe]
/
keys
/
tripe-keys.conf.5.in
diff --git
a/keys/tripe-keys.conf.5.in
b/keys/tripe-keys.conf.5.in
index
49e360d
..
ab4c9e1
100644
(file)
--- a/
keys/tripe-keys.conf.5.in
+++ b/
keys/tripe-keys.conf.5.in
@@
-117,6
+117,13
@@
default. Usually set up automatically.
Additional options for generating master keys. Default is
.RB ` -l '.
.TP
Additional options for generating master keys. Default is
.RB ` -l '.
.TP
+.I master-attrs
+Additional attributes to set on the master key,
+as
+.IB key = value
+pairs separated by spaces.
+Default is empty.
+.TP
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
@@
-141,6
+148,47
@@
or
.B ec
(elliptic curves). The default is
.BR dh .
.B ec
(elliptic curves). The default is
.BR dh .
+.ne 7
+.TP
+.I kx-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating keys.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-genalg
+_
+dh dh
+ec ec
+_
+.TE
+.ne 7
+.TP
+.I kx-param-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating the parameters key.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-param-genalg
+_
+dh dh-param
+ec ec-param
+_
+.TE
+.ne 7
.TP
.I kx-param
Options to pass to
.TP
.I kx-param
Options to pass to
@@
-160,6
+208,15
@@
ec \-Cnist-p256
_
.TE
.TP
_
.TE
.TP
+.I kx-attrs
+Additional attributes to set on the parameters
+(and therefore copied to peer keys),
+as
+.IB key = value
+pairs separated by spaces.
+Default is
+.BR serialization=constlen .
+.TP
.I kx-expire
Expiry time for generated keys. Default is
.BR "now + 1 year" .
.I kx-expire
Expiry time for generated keys. Default is
.BR "now + 1 year" .
@@
-168,39
+225,79
@@
Expiry time for generated keys. Default is
Hashing algorithm to use. Default is
.BR sha256 .
.TP
Hashing algorithm to use. Default is
.BR sha256 .
.TP
+.I bulk
+The bulk crypto transform to use.
+Default is
+.BR iiv .
+.ne 8
+.TP
.I mac
.I mac
-Message authentication algorithm to use. Default is
-.IB hash -hmac/ halfhashlen \fR,
-where
+Message authentication algorithm to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk mac
+_
+v0 \fIhash\fB-hmac/\fIhalfhashlen
+iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
+naclbox poly1305/128
+_
+.TE
+.IP
+(In the above,
.I halfhashlen
is half of
.IR hash 's
.I halfhashlen
is half of
.IR hash 's
-output length.
+output length.
)
.TP
.I mgf
Mask-generation algorithm to use. Default is
.IB hash -mgf \fR.
This is probably a good choice.
.TP
.I mgf
Mask-generation algorithm to use. Default is
.IB hash -mgf \fR.
This is probably a good choice.
+.ne 7
.TP
.I cipher
.TP
.I cipher
-Symmetric encryption scheme to use. Default is
-.BR blowfish-cbc .
+Symmetric encryption scheme to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk cipher
+_
+v0 rijndael-cbc
+iiv rijndael-cbc
+naclbox chacha20
+_
+.TE
+.ne 7
.TP
.I sig
Signature scheme to use. Must be one of those recognized by
.BR catsign (1).
.TP
.I sig
Signature scheme to use. Must be one of those recognized by
.BR catsign (1).
-Default is
-.B dsa
-if
-.I kx
-is
-.BR dh ,
-or
-.B ecdsa
-if
+Default depends on
.I kx
.I kx
-is
-.BR ec .
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx sig
+_
+dh dsa
+ec ecdsa
+_
+.TE
+.ne 12
.TP
.I sig-genalg
Key-generation algorithm for signing key. Default depends on
.TP
.I sig-genalg
Key-generation algorithm for signing key. Default depends on
@@
-219,8
+316,11
@@
rsapcs1 rsa
rsapss rsa
ecdsa ec
eckcdsa ec
rsapss rsa
ecdsa ec
eckcdsa ec
+ed25519 ed25519
+ed448 ed448
_
.TE
_
.TE
+.ne 10
.TP
.I sig-param
Signature-key generation parameters. Default depends on
.TP
.I sig-param
Signature-key generation parameters. Default depends on
@@
-237,6
+337,8
@@
dh \-LS \-b3072 \-B256
dsa \-b3072 \-B256
rsa \-b3072
ec \-Cnist-p256
dsa \-b3072 \-B256
rsa \-b3072
ec \-Cnist-p256
+ed25519 \fInone
+ed448 \fInone
_
.TE
.TP
_
.TE
.TP
@@
-262,7
+364,9
@@
Hash function to use for key fingerprinting. Default is
Local base directory for the repository files. This probably ought to
end in a
.RB ` / '
Local base directory for the repository files. This probably ought to
end in a
.RB ` / '
-character. No default.
+character. Unexpected files in this directory will be removed by the
+.B tripe-keys upload
+command. No default.
.TP
.I repos-file
Filename for local repository tarball. Default is the concatenation of
.TP
.I repos-file
Filename for local repository tarball. Default is the concatenation of