===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/PROTOCOL.krl,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- src/usr.bin/ssh/PROTOCOL.krl	2013/01/18 00:24:58	1.2
+++ src/usr.bin/ssh/PROTOCOL.krl	2015/01/30 01:10:33	1.3
@@ -37,7 +37,7 @@
 #define KRL_SECTION_FINGERPRINT_SHA1		3
 #define KRL_SECTION_SIGNATURE			4
 
-3. Certificate serial section
+2. Certificate section
 
 These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
 serial number or key ID. The consist of the CA key that issued the
@@ -47,6 +47,11 @@
 	string ca_key
 	string reserved
 
+Where "ca_key" is the standard SSH wire serialisation of the CA's
+public key. Alternately, "ca_key" may be an empty string to indicate
+the certificate section applies to all CAs (this is most useful when
+revoking key IDs).
+
 Followed by one or more sections:
 
 	byte	cert_section_type
@@ -161,4 +166,4 @@
 signatures. Signature sections are optional for KRLs distributed by
 trusted means.
 
-$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
+$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $