X-Git-Url: http://the.earth.li/gitweb/?p=onak.git;a=blobdiff_plain;f=onak.ini.in;h=fd6b9e499481245ba0645033e0f00744c96b5a09;hp=dc68e1f0173f6df9a8d8aea404313787d66ef93d;hb=76f079e5ebdb34acaaa2462a8d915ee06d3c8425;hpb=9ce8c6ced68d45b462abb4c6531b6476f4d1e681 diff --git a/onak.ini.in b/onak.ini.in index dc68e1f..fd6b9e4 100644 --- a/onak.ini.in +++ b/onak.ini.in @@ -9,7 +9,7 @@ logfile=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/onak.log loglevel=3 ; Should we use the keyd backend? use_keyd=false -sock_dir=@CMAKE_INSTALL_FULL_RUNSTATEDIR@ +sock_dir=@CMAKE_INSTALL_FULL_RUNSTATEDIR@/onak ; Maximum number of keys to return in a reply to an index, verbose index or ; get. Setting it to -1 will allow any size of reply. max_reply_keys=128 @@ -19,16 +19,28 @@ max_reply_keys=128 ; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line, ; comment lines start with # ;blacklist=blacklist.txt +; Check the size of packets, dropping overly large UIDs / signature packets +; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1 +;check_packet_size=false ; Verify signature hashes - verify that the hash a signature claims to be ; over matches the hash of the data. Does not actually verify the signature. check_sighash=true ; Drop v3 (and older) keys. These are long considered insecure, so unless there ; is a good reason you should accept this default. drop_v3=true +; Specify that a key must have a certificate from another key in order for it +; to be accepted. Only valid when verify_signatures is set, meaning new keys +; can only be added if they are certified by keys already present. +;require_other_sig=false ; Only allow keys that already exist to be update; silently drop the addition ; of any key we don't already know about. Useful for allowing updates to ; curated keys without the addition of new keys. ;update_only=false +; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS +; that lack valid self signatures will also be dropped. Note that in order to +; valid a signature the signing key must be present in the key database, so +; multiple passes may be required to import new keyrings fully. +;verify_signatures=false ; Settings related to the email interface to onak. [mail]