Finished PKA feature

doc/ChangeLog

@@ -1,3 +1,9 @@
+2005-12-20  Werner Koch  <wk@g10code.com>
+
+	* gpg.sgml (trust-model): Document "auto" and the "pka" variants.
+	(keyserver-options): Document "auto-pka-retrieve".
+	(allow-pka-lookup): Document.
+
 2005-12-08  David Shaw  <dshaw@jabberwocky.com>
 
 	* gpg.sgml: Document --fetch-keys.

doc/DETAILS

@@ -287,6 +287,12 @@ more arguments in future versions.
 	to indicate how trustworthy the signature is.  The error token
         values are currently only emiited by gpgsm.
 
+    PKA_TRUST_GOOD <mailbox>
+    PKA_TRUST_BAD  <mailbox>
+        Depending on the outcome of the PKA check one of the above
+        status codes is emitted in addition to a TRUST_* status.
+        Without PKA info available or 
+
     SIGEXPIRED
 	This is deprecated in favor of KEYEXPIRED.
 

doc/gpg.sgml

@@ -1186,7 +1186,7 @@ recipient's or signator's key.
 </para></listitem></varlistentry>
 
 <varlistentry>
-<term>--trust-model <parameter>pgp|classic|always</parameter></term>
+<term>--trust-model <parameter>pgp|classic|direct|always</parameter></term>
 <listitem><para>
 
 Set what trust model GnuPG should follow.  The models are:
@@ -1195,7 +1195,14 @@ Set what trust model GnuPG should follow.  The models are:
 
 <varlistentry><term>pgp</term><listitem><para>
 This is the Web of Trust combined with trust signatures as used in PGP
-5.x and later.  This is the default trust model.
+5.x and later.  This is the default trust model when creating a new
+trust database.
+</para></listitem></varlistentry>
+
+<varlistentry><term>pgp+pka</term><listitem><para>
+Same as <term>pka</term> but a valid PKA will increase the trust to full.
+Note, that the option <term>--allow-pka-lookup</term> needs to be
+enabled to actually make this work.
 </para></listitem></varlistentry>
 
 <varlistentry><term>classic</term><listitem><para>
@@ -1207,6 +1214,10 @@ Key validity is set directly by the user and not calculated via the
 Web of Trust.
 </para></listitem></varlistentry>
 
+<varlistentry><term>direct+pka</term><listitem><para>
+Same as <term>direct</term> but a valid PKA will increase the trust to full.
+</para></listitem></varlistentry>
+
 <varlistentry><term>always</term><listitem><para>
 Skip key validation and assume that used keys are always fully
 trusted.  You won't use this unless you have installed some external
@@ -1215,6 +1226,18 @@ printed with signature checks when there is no evidence that the user
 ID is bound to the key.
 </para></listitem></varlistentry>
 
+<varlistentry><term>auto</term><listitem><para>
+Select the trust model depending on whatever the internal trust
+database says. This is the default model if such a database already
+exists.  Note, this won't enable the PKA sub model.
+</para></listitem></varlistentry>
+
+<varlistentry><term>auto+pka</term><listitem><para>
+Select the trust model depending on whatever the internal trust
+database says and enable the PKA sub model.
+</para></listitem></varlistentry>
+
+
 </variablelist></para></listitem></varlistentry>
 
 <varlistentry>
@@ -1223,6 +1246,15 @@ ID is bound to the key.
 Identical to `--trust-model always'.  This option is deprecated.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>--allow-pka-lookup</term>
+<listitem><para>
+This option enables PKA lookups.  PKA is based on DNS; thus enabling
+this option may disclose information on when and what signatures are verified
+or to whom data is encrypted.  This is similar to the "web bug"
+described for the auto-key-retrieve feature.
+</para></listitem></varlistentry>
+
 
 <varlistentry>
 <term>--keyid-format <parameter>short|0xshort|long|0xlong</parameter></term>
@@ -1359,6 +1391,18 @@ on your local keyring), the operator can tell both your IP address and
 the time when you verified the signature.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>auto-pka-retrieve</term>
+<listitem><para>
+This option enables the automatic retrieving of missing keys through
+information taken from PKA records in the DNS. Defaults to yes.
+Note, that the option <term>--allow-pka-lookup</term> needs to be
+enabled to actually make this work.  
+</para><para>
+By using this option, one may unintentionally disclose information
+similar to the one described for <term>auto-key-retrieve</term>.
+</para></listitem></varlistentry>
+
 </variablelist>
 </para></listitem></varlistentry>