diff options
Diffstat (limited to 'PROTOCOL.krl')
-rw-r--r-- | PROTOCOL.krl | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl index f319bad21..115f80e5d 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl | |||
@@ -36,6 +36,7 @@ The available section types are: | |||
36 | #define KRL_SECTION_EXPLICIT_KEY 2 | 36 | #define KRL_SECTION_EXPLICIT_KEY 2 |
37 | #define KRL_SECTION_FINGERPRINT_SHA1 3 | 37 | #define KRL_SECTION_FINGERPRINT_SHA1 3 |
38 | #define KRL_SECTION_SIGNATURE 4 | 38 | #define KRL_SECTION_SIGNATURE 4 |
39 | #define KRL_SECTION_FINGERPRINT_SHA256 5 | ||
39 | 40 | ||
40 | 2. Certificate section | 41 | 2. Certificate section |
41 | 42 | ||
@@ -127,18 +128,19 @@ must be a raw key (i.e. not a certificate). | |||
127 | 128 | ||
128 | This section may appear multiple times. | 129 | This section may appear multiple times. |
129 | 130 | ||
130 | 4. SHA1 fingerprint sections | 131 | 4. SHA1/SHA256 fingerprint sections |
131 | 132 | ||
132 | These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke | 133 | These sections, identified as KRL_SECTION_FINGERPRINT_SHA1 and |
133 | plain keys (i.e. not certificates) by listing their SHA1 hashes: | 134 | KRL_SECTION_FINGERPRINT_SHA256, revoke plain keys (i.e. not |
135 | certificates) by listing their hashes: | ||
134 | 136 | ||
135 | string public_key_hash[0] | 137 | string public_key_hash[0] |
136 | .... | 138 | .... |
137 | 139 | ||
138 | This section must contain at least one "public_key_hash". The hash blob | 140 | This section must contain at least one "public_key_hash". The hash blob |
139 | is obtained by taking the SHA1 hash of the public key blob. Hashes in | 141 | is obtained by taking the SHA1 or SHA256 hash of the public key blob. |
140 | this section must appear in numeric order, treating each hash as a big- | 142 | Hashes in this section must appear in numeric order, treating each hash |
141 | endian integer. | 143 | as a big-endian integer. |
142 | 144 | ||
143 | This section may appear multiple times. | 145 | This section may appear multiple times. |
144 | 146 | ||
@@ -166,4 +168,4 @@ Implementations that retrieve KRLs over untrusted channels must verify | |||
166 | signatures. Signature sections are optional for KRLs distributed by | 168 | signatures. Signature sections are optional for KRLs distributed by |
167 | trusted means. | 169 | trusted means. |
168 | 170 | ||
169 | $OpenBSD: PROTOCOL.krl,v 1.4 2018/04/10 00:10:49 djm Exp $ | 171 | $OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $ |