some spkac shortening; ok beck

1 files changed, 13 insertions, 68 deletions

diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 004839f448f..a290433d92d 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.72 2016/09/15 17:49:03 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.73 2016/09/15 20:54:28 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -4946,13 +4946,9 @@ If this variable is set to no,
 only the signing certificate identifier is included.
 The default is no.
 .El
-.\"
-.\" SPKAC
-.\"
 .Sh SPKAC
 .nr nS 1
 .Nm "openssl spkac"
-.Bk -words
 .Op Fl challenge Ar string
 .Op Fl in Ar file
 .Op Fl key Ar keyfile
@@ -4963,25 +4959,21 @@ The default is no.
 .Op Fl spkac Ar spkacname
 .Op Fl spksect Ar section
 .Op Fl verify
-.Ek
 .nr nS 0
 .Pp
 The
 .Nm spkac
-command processes Netscape signed public key and challenge
-.Pq SPKAC
-files.
+command processes signed public key and challenge (SPKAC) files.
 It can print out their contents, verify the signature,
 and produce its own SPKACs from a supplied private key.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl challenge Ar string
-Specifies the challenge string if an SPKAC is being created.
+The challenge string, if an SPKAC is being created.
 .It Fl in Ar file
-This specifies the input
-.Ar file
-to read from, or standard input if this option is not specified.
+The input file to read from,
+or standard input if not specified.
 Ignored if the
 .Fl key
 option is used.
@@ -4992,74 +4984,27 @@ The
 .Fl in , noout , spksect ,
 and
 .Fl verify
-options are ignored if present.
+options are ignored, if present.
 .It Fl noout
-Don't output the text version of the SPKAC
-.Pq not used if an SPKAC is being created .
+Do not output the text version of the SPKAC.
 .It Fl out Ar file
-Specifies the output
-.Ar file
-to write to, or standard output by default.
+The output file to write to,
+or standard output if not specified.
 .It Fl passin Ar arg
 The key password source.
 .It Fl pubkey
-Output the public key of an SPKAC
-.Pq not used if an SPKAC is being created .
+Output the public key of an SPKAC.
 .It Fl spkac Ar spkacname
-Allows an alternative name for the variable containing the SPKAC.
+An alternative name for the variable containing the SPKAC.
 The default is "SPKAC".
 This option affects both generated and input SPKAC files.
 .It Fl spksect Ar section
-Allows an alternative name for the
+An alternative name for the
 .Ar section
 containing the SPKAC.
-The default is the default section.
 .It Fl verify
-Verifies the digital signature on the supplied SPKAC.
+Verify the digital signature on the supplied SPKAC.
 .El
-.Sh SPKAC EXAMPLES
-Print out the contents of an SPKAC:
-.Pp
-.Dl $ openssl spkac -in spkac.cnf
-.Pp
-Verify the signature of an SPKAC:
-.Pp
-.Dl $ openssl spkac -in spkac.cnf -noout -verify
-.Pp
-Create an SPKAC using the challenge string
-.Qq hello :
-.Pp
-.Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf
-.Pp
-Example of an SPKAC,
-.Pq long lines split up for clarity :
-.Bd -unfilled -offset indent
-SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
-PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
-PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
-2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
-4=
-.Ed
-.Sh SPKAC NOTES
-A created SPKAC with suitable DN components appended can be fed into
-the
-.Nm ca
-utility.
-.Pp
-SPKACs are typically generated by Netscape when a form is submitted
-containing the
-.Em KEYGEN
-tag as part of the certificate enrollment process.
-.Pp
-The challenge string permits a primitive form of proof of possession
-of private key.
-By checking the SPKAC signature and a random challenge
-string, some guarantee is given that the user knows the private key
-corresponding to the public key being certified.
-This is important in some applications.
-Without this it is possible for a previous SPKAC
-to be used in a
-.Qq replay attack .
 .\"
 .\" VERIFY
 .\"