From: Jeff Trawick <trawick@apache.org>
Date: Sat, 3 May 2014 13:43:14 +0000 (+0000)
Subject: Fill in various blurry areas reported on the certificate-transparency
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1d21f4fb527da83747ed62a32400e38cf77fb3f;p=thirdparty%2Fapache%2Fhttpd.git

Fill in various blurry areas reported on the certificate-transparency
forum.

Fix a minor formatting glitch with the attempt to show shell escaping
for a hash sign.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1592205 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl_ct.xml b/docs/manual/mod/mod_ssl_ct.xml
index d8b76b5904e..ca76549774e 100644
--- a/docs/manual/mod/mod_ssl_ct.xml
+++ b/docs/manual/mod/mod_ssl_ct.xml
@@ -433,12 +433,20 @@ ServerHello</description>
 
   <p>Each of the six fields must be specified, but usually only a small
   amount of information must be configured for each log; use <em>-</em> when no
-  information is available for the field.  The fields are defined as follows:</p>
+  information is available for the field.  For example, in support of a
+  server-only configuration (i.e., no proxy), the administrator might
+  configure only the log URL to be used when submitting server certificates
+  and obtaining a Signed Certificate Timestamp.</p>
+
+  <p>The fields are defined as follows:</p>
 
   <dl>
     <dt><em>log-id</em></dt>
     <dd>This is the id of the log, which is the SHA-256 hash of the log's
-    public key.</dd>
+    public key, provided in hexadecimal format.  This string is 64 characters
+    in length.
+    <br />
+    This field should be omitted when <em>public-key-file</em> is provided.</dd>
 
     <dt><em>public-key-file</em></dt>
     <dd>This is the name of a file containing the PEM encoding of the log's
@@ -447,15 +455,20 @@ ServerHello</description>
 
     <dt><em>trust</em></dt>
     <dd>This is a generic <q>trust</q> flag.  Set this field to <em>0</em> to
-    distrust this log.</dd>
-
-    <dt><em>min-timestamp</em></dt>
-    <dd>SCTs received from this log by the proxy are invalid if the timestamp
-    is older than this value.</dd>
+    distrust this log, or to otherwise avoid using it for server certificate
+    submission.</dd>
 
-    <dt><em>max-timestamp</em></dt>
-    <dd>SCTs received from this log by the proxy are invalid if the timestamp
-    is newer than this value.</dd>
+    <dt><em>min-timestamp</em> and <em>max-timestamp</em></dt>
+    <dd>A timestamp is a time as expressed in the number of milliseconds since the
+    epoch, ignoring leap seconds.  This is the form of time used in Signed Certificate
+    Timestamps.  This must be provided as a decimal number.
+    <br />
+    Specify <strong><code>-</code></strong> for one of the timestamps if it is unknown.
+    For example, when configuring the minimum valid timestamp for a log which remains 
+    valid, specify <strong><code>-</code></strong> for <em>max-timestamp</em>.
+    <br />
+    SCTs received from this log by the proxy are invalid if the timestamp
+    is older than <em>min-timestamp</em> or newer than <em>max-timestamp</em>.</dd>
 
     <dt><em>log-URL</em></dt>
     <dd>This is the URL of the log, for use in submitting server certificates
diff --git a/docs/manual/programs/ctlogconfig.xml b/docs/manual/programs/ctlogconfig.xml
index 95f48b484e9..87fd2536900 100644
--- a/docs/manual/programs/ctlogconfig.xml
+++ b/docs/manual/programs/ctlogconfig.xml
@@ -26,8 +26,8 @@
 <title>ctlogconfig - Certificate Transparency log configuration tool</title>
 
 <summary>
-    <p><code>ctlogconfig</code> is a tool for maintaining a log configuration
-    database, for use with <module>mod_ssl_ct</module>.</p>
+    <p><code>ctlogconfig</code> is a tool for creating and maintaining a log
+    configuration database, for use with <module>mod_ssl_ct</module>.</p>
 
     <p>Refer first to <a href="../mod/mod_ssl_ct.html#logconf">Log
     configuration</a> in the <module>mod_ssl_ct</module> documentation.</p>
@@ -76,6 +76,36 @@
     <em>log-id</em>|<em>record-id</em>
   </code></p>
 
+  <dl>
+    <dt><em>log-id</em></dt>
+    <dd>This is the id of the log, which is the SHA-256 hash of the log's public key,
+    provided in hexadecimal format.  This string is 64 characters in length.</dd>
+
+    <dt><em>record-id</em></dt>
+    <dd>This is the record number in the database, as displayed by the <strong>dump</strong>
+    sub-command, prefixed with <strong>#</strong>.  As an example, <strong>#4</strong>
+    references the fourth record in the database.  (Use shell escaping as necessary.)</dd>
+
+    <dt><em>/path/to/public-key.pem</em></dt>
+    <dd>This is a file containing the log's public key in PEM format.  The public
+    key is not stored in the database.  Instead, a reference to the file is stored.
+    Thus, the file cannot be removed until the public key in the database is removed
+    or changed.</dd>
+
+    <dt><em>min-timestamp</em>, <em>max-timestamp</em></dt>
+    <dd>A timestamp is a time as expressed in the number of milliseconds since the
+    epoch, ignoring leap seconds.  This is the form of time used in Signed Certificate
+    Timestamps.  This must be provided as a decimal number.
+    <br />
+    Specify <strong><code>-</code></strong> for one of the timestamps if it is unknown.
+    For example, when configuring the minimum valid timestamp for a log which remains
+    valid, specify <strong><code>-</code></strong> for <em>max-timestamp</em>.
+    <br />
+    SCTs received from this log by the proxy are invalid if the timestamp
+    is older than <em>min-timestamp</em> or newer than <em>max-timestamp</em>.</dd>
+
+  </dl>
+
 </section>
 
 <section id="subcommands">
@@ -89,24 +119,29 @@
     <dt>configure-public-key</dt>
     <dd>Add a log's public key to the database or set the public key for an
     existing entry.  The log's public key is needed to validate the signature
-    of SCTs received by a proxy from a backend server.</dd>
+    of SCTs received by a proxy from a backend server.  (The database will
+    be created if it does not yet exist.)</dd>
 
     <dt>configure-url</dt>
     <dd>Add a log's URL to the database or set the URL for an existing entry.
     The log's URL is used when submitting server certificates to logs in
-    order to obtain SCTs to send to clients.</dd>
+    order to obtain SCTs to send to clients.  (The database will
+    be created if it does not yet exist.)</dd>
 
     <dt>valid-time-range</dt>
     <dd>Set the minimum valid time and/or the maximum valid time for a log.
     SCTs from the log with timestamps outside of the valid range will not be
-    accepted.  Use <code>-</code> for a time that is not being configured.</dd>
+    accepted.  Use <code>-</code> for a time that is not being configured.
+    (The database will be created if it does not yet exist.)</dd>
 
     <dt>trust</dt>
     <dd>Mark a log as trusted, which is the default setting.  This sub-command
-    is used to reverse a <em>distrust</em> setting.</dd>
+    is used to reverse a <em>distrust</em> setting.  (The database will
+    be created if it does not yet exist.)</dd>
 
     <dt>distrust</dt>
-    <dd>Mark a log as distrusted.</dd>
+    <dd>Mark a log as distrusted.  (The database will be created if it does
+    not yet exist.)</dd>
 
     <dt>forget</dt>
     <dd>Remove information about a log from the database.</dd>
@@ -147,7 +182,7 @@
   http://log2.example.com/ which has already been configured.</p>
 
   <example>
-    $ ctlogconfig /path/to/conf/log-config configure-public-key \\#2 /path/to/conf/log2-pub.pem<br />
+    $ ctlogconfig /path/to/conf/log-config configure-public-key \#2 /path/to/conf/log2-pub.pem<br />
     $ ctlogconfig /path/to/conf/log-config dump<br />
     Log entry:<br />
       Record 1<br />