DKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 562fb09e455d09ad90a09d4c300fb2f004933eef..a35a8bf267e04e6f4da70986ba3a7a816d64b657 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12997,7 +12997,8 @@ It is only useful as the argument of a
 &%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
 or a &%def%& condition.
 
-&*Note*&: Under current versions of OpenSSL, when a list of more than one
+&*Note*&: Under versions of OpenSSL preceding 1.1.1,
+when a list of more than one
 file is used for &%tls_certificate%&, this variable is not reliable.
 
 .vitem &$tls_in_peercert$&
@@ -17237,7 +17238,8 @@ option in the relevant &(smtp)& transport.
 &*Note*&: If you use filenames based on IP addresses, change the list
 separator in the usual way to avoid confusion under IPv6.
 
-&*Note*&: Under current versions of OpenSSL, when a list of more than one
+&*Note*&: Under versions of OpenSSL preceding 1.1.1,
+when a list of more than one
 file is used, the &$tls_in_ourcert$& variable is unreliable.
 
 &*Note*&: OCSP stapling is not usable under OpenSSL
@@ -39065,6 +39067,11 @@ To produce the required public key value for a DNS record:
 openssl pkey -outform DER -pubout -in dkim_ed25519.private | tail -c +13 | base64
 certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
 .endd
+
+Note that the format
+of Ed25519 keys in DNS has not yet been decided; this release supports
+both of the leading candidates at this time, a future release will
+probably drop support for whichever proposal loses
 .wen
 
 .option dkim_hash smtp string&!! sha256