* gpg.sgml: Document backsign, --require-backsigs, and

--no-require-backsigs.

* DETAILS: Clarify Key-Usage.

doc/ChangeLog

@@ -1,3 +1,10 @@
+2005-10-27  David Shaw  <dshaw@jabberwocky.com>
+
+	* gpg.sgml: Document backsign, --require-backsigs, and
+	--no-require-backsigs.
+
+	* DETAILS: Clarify Key-Usage.
+
 2005-10-07  Werner Koch  <wk@g10code.com>
 
 	* gpgv.sgml: Small spelling corrections by Mike Dowling.

doc/DETAILS

@@ -587,7 +587,7 @@ more arguments in future versions.
         PIN change really worked.
 
     BACKUP_KEY_CREATED fingerprint fname
-        A backup key named FNAME has been created for the key wityh
+        A backup key named FNAME has been created for the key with
         KEYID.
 
 
@@ -750,8 +750,13 @@ The format of this file is as follows:
 	Length of the key in bits.  Default is 1024.
      Key-Usage: <usage-list>
         Space or comma delimited list of key usage, allowed values are
-        "encrypt" and "sign".  This is used to generate the key flags.
-        Please make sure that the algorithm is capable of this usage.
+        "encrypt", "sign", and "auth".  This is used to generate the
+        key flags.  Please make sure that the algorithm is capable of
+        this usage.  Note that OpenPGP requires that all primary keys
+        are capable of certification, so no matter what usage is given
+        here, the "cert" flag will be on.  If no Key-Usage is
+        specified, all the allowed usages for that particular
+        algorithm are used.
      Subkey-Type: <algo-number>|<algo-string>
 	This generates a secondary key.  Currently only one subkey
 	can be handled.

doc/gpg.sgml

@@ -563,6 +563,14 @@ that is no longer usable (e.g. revoked, or expired).
 </variablelist>
 
 If invoked with no arguments, both `sigs' and `uids' are cleaned.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term>backsign</term>
+<listitem></para>
+Add back signatures to signing subkeys that may not currently have
+back signatures.  Back signatures protect against a subtle attack
+against signing subkeys.  See --require-backsigs.
 </para></listitem></varlistentry>
 
     <varlistentry>
@@ -2712,6 +2720,17 @@ content of an encrypted message; using this option you can do this without
 handing out the secret key.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>--require-backsigs</term>
+<term>--no-require-backsigs</term>
+<listitem><para>
+When verifying a signature made from a subkey, ensure that the "back
+signature" on the subkey is present and valid.  This protects against
+a subtle attack against subkeys that can sign.  Currently defaults to
+--no-require-backsigs, but will be changed to --require-backsigs in
+the future.
+</para></listitem></varlistentry>
+
 <varlistentry>
 <term>--ask-sig-expire</term>
 <term>--no-ask-sig-expire</term>