Stress the importance of random keys.

1 files changed, 10 insertions, 4 deletions

diff --git a/sbin/ipsecadm/ipsecadm.1 b/sbin/ipsecadm/ipsecadm.1
index 168293f3c2e..1cd81e0938e 100644
--- a/sbin/ipsecadm/ipsecadm.1
+++ b/sbin/ipsecadm/ipsecadm.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.1,v 1.2 1998/12/29 12:01:26 deraadt Exp $
+.\" $OpenBSD: ipsecadm.1,v 1.3 1999/02/05 02:01:43 angelos Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -202,13 +202,16 @@ for
 .Nm des
 and
 .Nm 3des
-is fixed to 8 and 24 respectivly. For other ciphers like
+is fixed to 8 and 24 respectively. For other ciphers like
 .Nm cast
 or
 .Nm blf
 the key length can be variable. The
 .Nm key
-should be given in hexadecimal digits.
+should be given in hexadecimal digits. The
+.Nm key
+should be chosen in random (ideally, using some true-random source like
+coin flipping). It is very important that the key is not guessable.
 .It authkey
 The secret key material used for authentication
 if additional authentication in new esp mode is required. For
@@ -216,7 +219,10 @@ old or new ah the key material for authentication is passed with the
 .Nm key
 option. The
 .Nm key
-should be given in hexadecimal digits.
+should be given in hexadecimal digits. The
+.Nm key
+should be chosen in random (ideally, using some true-random source like
+coin flipping). It is very important that the key is not guessable.
 .It iv
 The initialization vector used for encryption. In old esp mode you need
 to specify it as either four or eight byte long value. In new esp mode