doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2 files changed, 15 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index ccd6f7a536..363fe754eb 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,13 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.5.15 (unreleased)
+
+** certtool: Keys with provable RSA and DSA parameters are now only exported
+   in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
+   This removes the need for a non-standard key format.
+
+
 * Version 3.5.14 (released 2017-07-04)
 
 ** libgnutls: Handle specially HSMs which request explicit authentication.
diff --git a/src/certtool-args.def b/src/certtool-args.def
index 912810cf1a..1d692ec48b 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -60,7 +60,14 @@ flag = {
 flag = {
     name      = provable;
     descrip   = "Generate a private key or parameters from a seed using a provable method";
-    doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation. When specified the private keys or parameters will be generated from a seed, and can be proven to be correctly generated from the seed. You may specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with --generate-privkey or --generate-dh-params.";
+    doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.
+When specified the private keys or parameters will be generated from a seed, and can be
+later validated with --verify-provable-privkey to be correctly generated from the seed. You may
+specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with
+--generate-privkey or --generate-dh-params.
+
+That option applies to RSA and DSA keys. On the DSA keys the PQG parameters
+are generated using the seed, and on RSA the two primes.";
 };
 
 flag = {