Re: CVS commit: src/usr.bin/nbsvtool

[Dieter Baron <dillo%danbala.tuwien.ac.at@localhost>]

On Tue, Jul 15, 2008 at 12:56:46AM +0200, Hubert Feyrer wrote:
> On Mon, 14 Jul 2008, Dieter Baron wrote:
>> attached is an updated version of the man page, please review.

  I've committed an improved version, feel free to improve upon it.

From the commit message:
: Also, this man page assumes familiarity with the concepts uesd.
: While fully describing these concepts is outside the scope of this
: man page, a pointer to such a description should be included.  
: Someone who knows of such a description, please provide pointers.

: Finally, we should have a companion tool to create the peaces needed 
: to use this tool: set up a CA, create a certificate chain and a
: private key/certificate pair for signing.

> Details! What kind of files, where do they come from, how does one create 
> them?
>
> The writer of that manpage seems to assume a lot of knowledge that I doubt 
> is available...

  Like I said, I think that is outside the scope of this man page;
rather, it should point to a good introduction to the concepts.
Sadly, I don't have one.

> This also goes for all other files - at least giving a hint via a filename 
> suffix may help a bit.

  Agreed.  Joerg, could you please add the usual suffixes to the names
used in arguments, options, and examples?

> The EXAMPLES section sounds useful from the remote, but it needs more steps 
> to get to a point where it can be used. Setup of the CA and whatever else 
> needs to be done should be documented - not in this manpage, I guess, as 
> other parts (postfix? ldap? httpd? ...?) may need the same knowledge. Put 
> this into a common manpage, and reference it!

  I think we should have a similar tool for this, see above.

> Details:
>
>>      Verify that the signature hello.sp7 is valid for file hello
>>       and that the certificate used allows code signing.
>>            nbsvtool verify-code hello hello.sp7
>>
>>      Same as above, but for file file.
>>            nbsvtool -u code verify file file.sp7
>
> I don't get the difference here. Is it only the filename? Why use 
> "verify-code" in one place, and "-u code verify" in the other place? And 
> what is "code" anyways, in the latter example?

  There is little difference, so I removed one of them.

>> SEE ALSO
>>      openssl_smime(1)
>
> That file seems to describe something similar as the manpage at hands, yet 
> it also lacks the steps to setup the whole process (it seems to me).

  nbsvtool provides more convenient access to a subset of the
functionality provided by openssl_smime.

> Way to go until this is foolproof... :-(

  This is not an end user tool, so it doesn't have to be fool proof.
I expect the application using this tool (e.g. pkg_install) to provide
additional information about the policies in use.

                                        yours,
                                        dillo