diff --git a/doc/ChangeLog b/doc/ChangeLog index 9677365bc..626fd6a51 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,8 @@ 2006-03-07 David Shaw + * gpg.sgml: Rename backsigs to cross-certification (backsigs is + just shorthand). Document max-cert-size. + * gpg.sgml: Document new way of enabling the PKA functions. Some minor other cleanups. diff --git a/doc/gpg.sgml b/doc/gpg.sgml index 753df0b79..44877a9f3 100644 --- a/doc/gpg.sgml +++ b/doc/gpg.sgml @@ -528,7 +528,7 @@ used by GnuPG. Set a preferred keyserver for the specified user ID(s). This allows other users to know where you prefer they get your key from. See ---keyserver-option honor-keyserver-url for more on how this works. +--keyserver-options honor-keyserver-url for more on how this works. Note that some versions of PGP interpret the presence of a keyserver URL as an instruction to enable PGP/MIME mail encoding. Setting a value of "none" removes a existing preferred keyserver. @@ -557,11 +557,12 @@ each user ID except for the most recent self-signature. -backsign +cross-certify -Add back signatures to signing subkeys that may not currently have -back signatures. Back signatures protect against a subtle attack -against signing subkeys. See --require-backsigs. +Add cross-certification signatures to signing subkeys that may not +currently have them. Cross-certification signatures protect against a +subtle attack against signing subkeys. See +--require-cross-certification. @@ -718,7 +719,7 @@ keyring. The fast version is currently just a synonym. There are a few other options which control how this command works. -Most notable here is the --keyserver-option merge-only option which +Most notable here is the --keyserver-options merge-only option which does not insert new keys but does only the merging of new signatures, user-IDs and subkeys. @@ -739,7 +740,7 @@ local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring. Option --keyserver must be used to give the name of the keyserver for all keys that do not have preferred -keyservers set (see --keyserver-option honor-keyserver-url). +keyservers set (see --keyserver-options honor-keyserver-url). @@ -1399,7 +1400,7 @@ be repeated multiple times to increase the verbosity level. -timeout +timeout&OptEqualsValue; Tell the keyserver helper program how long (in seconds) to try and perform a keyserver action before giving up. Note that performing @@ -1415,8 +1416,15 @@ timeout applies separately to each key retrieval, and not to the For HTTP-like keyserver schemes that (such as HKP and HTTP itself), try to access the keyserver over a proxy. If a &ParmValue; is specified, use this as the HTTP proxy. If no &ParmValue; is -specified, try to use the value of the environment variable -"http_proxy". +specified, the value of the environment variable "http_proxy", if any, +will be used. + + + +max-cert-size&OptEqualsValue; + +When retrieving a key via DNS CERT, only accept keys up to this size. +Defaults to 16384 bytes. @@ -2789,14 +2797,14 @@ handing out the secret key. ---require-backsigs ---no-require-backsigs +--require-cross-certification +--no-require-certification -When verifying a signature made from a subkey, ensure that the "back -signature" on the subkey is present and valid. This protects against -a subtle attack against subkeys that can sign. Currently defaults to ---no-require-backsigs, but will be changed to --require-backsigs in -the future. +When verifying a signature made from a subkey, ensure that the cross +certification "back signature" on the subkey is present and valid. +This protects against a subtle attack against subkeys that can sign. +Currently defaults to --no-require-cross-certification, but will be +changed to --require-cross-certification in the future.