server/, keys/: Add bulk crypto transform based on NaCl `crypto_secretbox'.

[tripe] / keys / tripe-keys.conf.5.in

diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in
index e993ad2..ab4c9e1 100644 (file)
--- a/keys/tripe-keys.conf.5.in
+++ b/keys/tripe-keys.conf.5.in
@@ -214,7 +214,8 @@ Additional attributes to set on the parameters
 as
 .IB key = value
 pairs separated by spaces.
-Default is empty.
+Default is
+.BR serialization=constlen .
 .TP
 .I kx-expire
 Expiry time for generated keys.  Default is
@@ -224,25 +225,60 @@ Expiry time for generated keys.  Default is
 Hashing algorithm to use.  Default is
 .BR sha256 .
 .TP
+.I bulk
+The bulk crypto transform to use.
+Default is
+.BR iiv .
+.ne 8
+.TP
 .I mac
-Message authentication algorithm to use.  Default is
-.IB hash -hmac/ halfhashlen \fR,
-where
+Message authentication algorithm to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk   mac
+_
+v0     \fIhash\fB-hmac/\fIhalfhashlen
+iiv    \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
+naclbox        poly1305/128
+_
+.TE
+.IP
+(In the above,
 .I halfhashlen
 is half of
 .IR hash 's
-output length.
+output length.)
 .TP
 .I mgf
 Mask-generation algorithm to use.  Default is
 .IB hash -mgf \fR.
 This is probably a good choice.
-.ne 6
+.ne 7
 .TP
 .I cipher
-Symmetric encryption scheme to use.  Default is
-.BR rijndael-cbc .
-.ne 6
+Symmetric encryption scheme to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk   cipher
+_
+v0     rijndael-cbc
+iiv    rijndael-cbc
+naclbox        chacha20
+_
+.TE
+.ne 7
 .TP
 .I sig
 Signature scheme to use.  Must be one of those recognized by