X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/4a3882945f605704ede113a9fe98cd19a92363a7..HEAD:/server/tripe.8.in

diff --git a/server/tripe.8.in b/server/tripe.8.in
index 8b786828..f65bb3f0 100644
--- a/server/tripe.8.in
+++ b/server/tripe.8.in
@@ -286,7 +286,11 @@ is a terrible idea.
 .TP
 .BI "\-T, \-\-trace=" trace-opts
 Allows the enabling or disabling of various internal diagnostics.  See
-below for the list of options.
+the
+.B TRACE
+command in
+.BR trace-admin (5)
+for the list of options.
 .SS "Key exchange group types"
 The
 .B tripe
@@ -441,9 +445,9 @@ overridden by setting attributes on your private key, as follows.
 Names the bulk-crypto transform to use.  See below.
 .TP
 .B blkc
-Names a block cipher, used by some bulk-crypto transforms (e.g.,
+Names a blockcipher, used by some bulk-crypto transforms (e.g.,
 .BR iiv ).
-The default is to use the block cipher underlying the chosen
+The default is to use the blockcipher underlying the chosen
 .BR cipher ,
 if any.
 .TP
@@ -490,7 +494,7 @@ random and included explicitly in the cryptogram.
 .TP
 .B iiv
 A newer `implicit-IV' transform.  Rather than having an explicit random
-IV, the IV is computed from the sequence number using a block cipher.
+IV, the IV is computed from the sequence number using a blockcipher.
 This has two advantages over the
 .B v0
 transform.  Firstly, it adds less overhead to encrypted messages
@@ -500,6 +504,36 @@ doesn't need the (possibly slow) random number generator, and (b) it
 closes a kleptographic channel, over which a compromised implementation
 could leak secret information to a third party.
 .TP
+.B aead
+A transform based on an all-in-one `authenticated encryption with
+additional data' scheme.  The scheme is named in the
+.B cipher
+attribute; the default is
+.BR rijndael-ocb3 .
+If the
+.B mac
+attribute is given, it must be either
+.B aead
+or
+.BR aead/ \c
+.IR tagsz ,
+where
+.I tagsz
+is the desired tag length in bits; alternatively, the tag length can be
+set in the
+.B tagsz
+attribute.  The chosen AEAD scheme must accept at least a 64-bit nonce
+(this rules out OCB3 and CCM with 64-bit blockciphers); it mustn't
+require an absurdly large nonce size (none of the schemes implemented in
+Catacomb present a problem here, but it bears mentioning); it must
+actually support additional header data (which rules out the
+.B naclbox
+schemes, but see the
+.B naclbox
+transform below); and it must produce an empty ciphertext when
+encrypting an empty message (again, all of Catacomb's schemes meet this
+requirement).
+.TP
 .B naclbox
 A transform based on the NaCl
 .B crypto_secretbox