I just pointed someone to the starttls man page and noticed some things that are wrong or don't make much sense:
The first entry is missing a tag. I don't understand: "force string verification depths to at least 80 bits" "string" -> "strong" maybe? But "depths to at least 80 bits" doesn't make much sense to me. cf/README states: VERIFY:bits verification must have succeeded and ${cipher_bits} must be greater than or equal bits. ENCR:bits ${cipher_bits} must be greater than or equal bits. So here's a suggested patch (also increasing the strength, as 112/80 isn't considered "strong"). --- starttls.8- Sun Oct 14 09:46:56 2012 +++ starttls.8 Sun Oct 14 09:49:37 2012 @@ -319,13 +319,13 @@ Here are a few example entries that illustrate these features, and the role based granularity as well: .Pp -Force strong (112-bit) encryption for communications for this server: +Force strong (256-bit) encryption for communications for this server: .Pp -.Dl server1.example.net ENCR:112 +.Dl TLS_Srv:server1.example.net ENCR:256 .Pp -For a TLS client, force string verification depths to at least 80 bits: +For a TLS client, force encryption with least 128 bits and also verification: .Pp -.Dl TLS_Clt:desktop.example.net VERIFY:80 +.Dl TLS_Clt:desktop.example.net VERIFY:128 .Pp Much more complicated access maps are possible, and error conditions (such as permanent or temporary, PERM+ or TEMP+) can be set on the basis of