From d681a5f1e6b6231a2303415b2364fd3e98d82d74 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 6 Aug 2017 17:51:15 +0200 Subject: doc update Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 7 +++++++ src/certtool-args.def | 9 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index ccd6f7a536..363fe754eb 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,13 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2017 Nikos Mavrogiannopoulos See the end for copying conditions. +* Version 3.5.15 (unreleased) + +** certtool: Keys with provable RSA and DSA parameters are now only exported + in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. + This removes the need for a non-standard key format. + + * Version 3.5.14 (released 2017-07-04) ** libgnutls: Handle specially HSMs which request explicit authentication. diff --git a/src/certtool-args.def b/src/certtool-args.def index 912810cf1a..1d692ec48b 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -60,7 +60,14 @@ flag = { flag = { name = provable; descrip = "Generate a private key or parameters from a seed using a provable method"; - doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation. When specified the private keys or parameters will be generated from a seed, and can be proven to be correctly generated from the seed. You may specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with --generate-privkey or --generate-dh-params."; + doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation. +When specified the private keys or parameters will be generated from a seed, and can be +later validated with --verify-provable-privkey to be correctly generated from the seed. You may +specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with +--generate-privkey or --generate-dh-params. + +That option applies to RSA and DSA keys. On the DSA keys the PQG parameters +are generated using the seed, and on RSA the two primes."; }; flag = { -- cgit v1.2.1