(reply to tech, not misc, as there's a diff involved)
On Sun, Oct 14, 2012 at 09:54:22AM -0700, Claus Assmann wrote:
> I just pointed someone to the starttls man page and noticed
> some things that are wrong or don't make much sense:
>
> The first entry is missing a tag. I don't understand:
> "force string verification depths to at least 80 bits"
> "string" -> "strong" maybe?
> But "depths to at least 80 bits" doesn't make much sense to me.
>
> cf/README states:
> VERIFY:bits verification must have succeeded and ${cipher_bits} must
> be greater than or equal bits.
> ENCR:bits ${cipher_bits} must be greater than or equal bits.
>
> So here's a suggested patch (also increasing the strength, as 112/80
> isn't considered "strong").
>
after some discussion with claus, we tweaked this a little further
from the original diff. i'll commit this if no one objects, but explicit
oks very welcome.
jmc
Index: starttls.8
===================================================================
RCS file: /cvs/src/share/man/man8/starttls.8,v
retrieving revision 1.18
diff -u -r1.18 starttls.8
--- starttls.8 26 Sep 2012 17:34:38 -0000 1.18
+++ starttls.8 16 Oct 2012 16:13:19 -0000
@@ -319,13 +319,14 @@
Here are a few example entries that illustrate these features, and
the role based granularity as well:
.Pp
-Force strong (112-bit) encryption for communications for this server:
+Require strong (256-bit) encryption for communication with this server:
.Pp
-.Dl server1.example.net ENCR:112
+.Dl TLS_Srv:server1.example.net ENCR:256
.Pp
-For a TLS client, force string verification depths to at least 80 bits:
+For a TLS client,
+require verification and a minimum of 128-bit encryption:
.Pp
-.Dl TLS_Clt:desktop.example.net VERIFY:80
+.Dl TLS_Clt:desktop.example.net VERIFY:128
.Pp
Much more complicated access maps are possible, and error conditions (such
as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
