X-Git-Url: http://the.earth.li/gitweb/?a=blobdiff_plain;f=onak.ini.in;h=92e02d80caf50dd00c87e1df34a99cdaf7f69d8d;hb=de18b56efecadc4b5d2473904828db9c08cd2162;hp=4dbf8305d516cf73fbf7a7447ac02efa96148c56;hpb=a799cc2909f47d918d1ec7171a9edba28a9f5136;p=onak.git

diff --git a/onak.ini.in b/onak.ini.in
index 4dbf830..92e02d8 100644
--- a/onak.ini.in
+++ b/onak.ini.in
@@ -16,9 +16,31 @@ max_reply_keys=128
 
 ; Settings related to key verification options available.
 [verification]
+; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line,
+; comment lines start with #
+;blacklist=blacklist.txt
+; Check the size of packets, dropping overly large UIDs / signature packets
+; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1
+;check_packet_size=false
 ; Verify signature hashes - verify that the hash a signature claims to be
 ; over matches the hash of the data. Does not actually verify the signature.
 check_sighash=true
+; Drop v3 (and older) keys. These are long considered insecure, so unless there
+; is a good reason you should accept this default.
+drop_v3=true
+; Specify that a key must have a certificate from another key in order for it
+; to be accepted. Only valid when verify_signatures is set, meaning new keys
+; can only be added if they are certified by keys already present.
+;require_other_sig=false
+; Only allow keys that already exist to be update; silently drop the addition
+; of any key we don't already know about. Useful for allowing updates to
+; curated keys without the addition of new keys.
+;update_only=false
+; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS
+; that lack valid self signatures will also be dropped. Note that in order to
+; valid a signature the signing key must be present in the key database, so
+; multiple passes may be required to import new keyrings fully.
+;verify_signatures=false
 
 ; Settings related to the email interface to onak.
 [mail]