New upstream release (6.8p1).

author: Colin Watson <cjwatson@debian.org> 2015-08-19 14:23:51 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 16:48:11 +0100
commit: 0f0841b2d28b7463267d4d91577e72e3340a1d3a (patch)
tree: ba55fcd2b6e2cc22b30f5afb561dbb3da4c8b6c7 /PROTOCOL.krl
parent: f2a5f5dae656759efb0b76c3d94890b65c197a02 (diff)
parent: 8698446b972003b63dfe5dcbdb86acfe986afb85 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl
index e8caa4527..b9695107b 100644
--- a/PROTOCOL.krl
+++ b/PROTOCOL.krl
@@ -37,7 +37,7 @@ The available section types are:
 #define KRL_SECTION_FINGERPRINT_SHA1            3
 #define KRL_SECTION_SIGNATURE                   4
-3. Certificate serial section
+2. Certificate section
 These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
 serial number or key ID. The consist of the CA key that issued the
@@ -47,6 +47,11 @@ ignored.
        string ca_key
        string reserved
+Where "ca_key" is the standard SSH wire serialisation of the CA's
+public key. Alternately, "ca_key" may be an empty string to indicate
+the certificate section applies to all CAs (this is most useful when
+revoking key IDs).
 Followed by one or more sections:
        byte    cert_section_type
@@ -161,4 +166,4 @@ Implementations that retrieve KRLs over untrusted channels must verify
 signatures. Signature sections are optional for KRLs distributed by
 trusted means.
-$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
+$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $
author	Colin Watson <cjwatson@debian.org>	2015-08-19 14:23:51 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 16:48:11 +0100
commit	0f0841b2d28b7463267d4d91577e72e3340a1d3a (patch)
tree	ba55fcd2b6e2cc22b30f5afb561dbb3da4c8b6c7 /PROTOCOL.krl
parent	f2a5f5dae656759efb0b76c3d94890b65c197a02 (diff)
parent	8698446b972003b63dfe5dcbdb86acfe986afb85 (diff)