I just pointed someone to the starttls man page and noticed
some things that are wrong or don't make much sense:
The first entry is missing a tag. I don't understand:
force string verification depths to at least 80 bits
string - strong maybe?
But depths to at least 80 bits doesn't make much sense to me.
cf/README states:
VERIFY:bits verification must have succeeded and ${cipher_bits} must
be greater than or equal bits.
ENCR:bits ${cipher_bits} must be greater than or equal bits.
So here's a suggested patch (also increasing the strength, as 112/80
isn't considered strong).
--- starttls.8- Sun Oct 14 09:46:56 2012
+++ starttls.8 Sun Oct 14 09:49:37 2012
@@ -319,13 +319,13 @@
Here are a few example entries that illustrate these features, and
the role based granularity as well:
.Pp
-Force strong (112-bit) encryption for communications for this server:
+Force strong (256-bit) encryption for communications for this server:
.Pp
-.Dl server1.example.netENCR:112
+.Dl TLS_Srv:server1.example.netENCR:256
.Pp
-For a TLS client, force string verification depths to at least 80 bits:
+For a TLS client, force encryption with least 128 bits and also verification:
.Pp
-.Dl TLS_Clt:desktop.example.net VERIFY:80
+.Dl TLS_Clt:desktop.example.net VERIFY:128
.Pp
Much more complicated access maps are possible, and error conditions (such
as permanent or temporary, PERM+ or TEMP+) can be set on the basis of