lacme-accountd(1): new setting 'keyid'.

This saves a round trip and provides a safeguard against malicious clients.
author: Guilhem Moulin <guilhem@fripost.org> 2021-02-21 18:49:14 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2021-02-22 00:14:51 +0100
commit: 9898b1877ce2973bbc336921969bd7f16d3698fa (patch)
tree: 286901349d8345e204c21bce2b49737cbd72e286 /lacme-accountd.1.md
parent: 1bdaeae835b5c9914f9c2107efda150d643cda12 (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
index d0b2c6b..4933a78 100644
--- a/lacme-accountd.1.md
+++ b/lacme-accountd.1.md
@@ -119,14 +119,28 @@ leading `--`) in the configuration file.  Valid settings are:
     [`gpg`(1)] to use, as well as some default options.
     Default: `gpg --quiet`.
 
+*socket*
+
+:   See `--socket=`.
+
 *logfile*
 
 :   An optional file where to log to.  The value is subject to
     [%-specifier expansion](#percent-specifiers).
 
-*socket*
+*keyid*
 
-:   See `--socket=`.
+:   The "Key ID", as shown by `` `acme account` ``, to give the [ACME]
+    client.  With an empty *keyid* (the default) the client forwards the
+    JSON Web Key (JWK) to the [ACME] server to retrieve the correct
+    value.  A non-empty value therefore saves a round-trip.
+
+    A non-empty value also causes `lacme-accountd` to send an empty JWK,
+    thereby revoking all account management access (status change,
+    contact address updates etc.) from the client: any `` `acme account` ``
+    command (or any command from [`lacme`(8)] before version 0.8.0) is
+    bound to be rejected by the [ACME] server.  This provides a
+    safeguard against malicious clients.
 
 *quiet*
author	Guilhem Moulin <guilhem@fripost.org>	2021-02-21 18:49:14 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2021-02-22 00:14:51 +0100
commit	9898b1877ce2973bbc336921969bd7f16d3698fa (patch)
tree	286901349d8345e204c21bce2b49737cbd72e286 /lacme-accountd.1.md
parent	1bdaeae835b5c9914f9c2107efda150d643cda12 (diff)