X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;f=onak.ini.in;h=92e02d80caf50dd00c87e1df34a99cdaf7f69d8d;hb=3da81770b841f841c5145f91a9ccedc296e13f4b;hp=dc68e1f0173f6df9a8d8aea404313787d66ef93d;hpb=9ce8c6ced68d45b462abb4c6531b6476f4d1e681;p=onak.git

diff --git a/onak.ini.in b/onak.ini.in
index dc68e1f..92e02d8 100644
--- a/onak.ini.in
+++ b/onak.ini.in
@@ -19,16 +19,28 @@ max_reply_keys=128
 ; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line,
 ; comment lines start with #
 ;blacklist=blacklist.txt
+; Check the size of packets, dropping overly large UIDs / signature packets
+; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1
+;check_packet_size=false
 ; Verify signature hashes - verify that the hash a signature claims to be
 ; over matches the hash of the data. Does not actually verify the signature.
 check_sighash=true
 ; Drop v3 (and older) keys. These are long considered insecure, so unless there
 ; is a good reason you should accept this default.
 drop_v3=true
+; Specify that a key must have a certificate from another key in order for it
+; to be accepted. Only valid when verify_signatures is set, meaning new keys
+; can only be added if they are certified by keys already present.
+;require_other_sig=false
 ; Only allow keys that already exist to be update; silently drop the addition
 ; of any key we don't already know about. Useful for allowing updates to
 ; curated keys without the addition of new keys.
 ;update_only=false
+; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS
+; that lack valid self signatures will also be dropped. Note that in order to
+; valid a signature the signing key must be present in the key database, so
+; multiple passes may be required to import new keyrings fully.
+;verify_signatures=false
 
 ; Settings related to the email interface to onak.
 [mail]