From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 21 Feb 2021 18:49:14 +0100
Subject: lacme-accountd(1): new setting 'keyid'.

This saves a round trip and provides a safeguard against malicious
clients.
---
 lacme-accountd.1.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'lacme-accountd.1.md')

diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
index d0b2c6b..4933a78 100644
--- a/lacme-accountd.1.md
+++ b/lacme-accountd.1.md
@@ -119,14 +119,28 @@ leading `--`) in the configuration file.  Valid settings are:
     [`gpg`(1)] to use, as well as some default options.
     Default: `gpg --quiet`.
 
+*socket*
+
+:   See `--socket=`.
+
 *logfile*
 
 :   An optional file where to log to.  The value is subject to
     [%-specifier expansion](#percent-specifiers).
 
-*socket*
+*keyid*
 
-:   See `--socket=`.
+:   The "Key ID", as shown by `` `acme account` ``, to give the [ACME]
+    client.  With an empty *keyid* (the default) the client forwards the
+    JSON Web Key (JWK) to the [ACME] server to retrieve the correct
+    value.  A non-empty value therefore saves a round-trip.
+
+    A non-empty value also causes `lacme-accountd` to send an empty JWK,
+    thereby revoking all account management access (status change,
+    contact address updates etc.) from the client: any `` `acme account` ``
+    command (or any command from [`lacme`(8)] before version 0.8.0) is
+    bound to be rejected by the [ACME] server.  This provides a
+    safeguard against malicious clients.
 
 *quiet*
 
-- 
cgit v1.2.3