Clarified use of secret/public keys

strattond · Oct 23, 2013 · cd2afeb · cd2afeb
1 parent bd411bb
commit cd2afeb
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/doc/zmq_setsockopt.txt b/doc/zmq_setsockopt.txt
@@ -624,8 +624,9 @@ linkzmq:zmq_curve[7]. A value of '1' means the socket will act as
 CURVE server. A value of '0' means the socket will not act as CURVE
 server, and its security role then depends on other option settings.
 Setting this to '0' shall reset the socket security to NULL. When you
-set this you must also set both the public and secret keys using the
-ZMQ_CURVE_PUBLICKEY and ZMQ_CURVE_SECRETKEY options.
+set this you must also set the server's secret key using the
+ZMQ_CURVE_SECRETKEY option. A server socket does not need to know
+its own public key.
 
 [horizontal]
 Option value type:: int
@@ -637,14 +638,11 @@ Applicable socket types:: all, when using TCP transport
 ZMQ_CURVE_PUBLICKEY: Set CURVE public key
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Sets the socket's long term public key. You must set this on both CURVE
-client and server sockets, see linkzmq:zmq_curve[7]. You can provide the
-key as 32 binary bytes, or as a 40-character string encoded in the Z85
-encoding format. For servers, the public key must be persisted and
-shared through some unspecified but secure mechanism to clients. The
-public key must always be used with the matching secret key generated
-at the same time. To generate a public/secret key pair, use the
-tools/curve_keygen tool.
+Sets the socket's long term public key. You must set this on CURVE client
+sockets, see linkzmq:zmq_curve[7]. You can provide the key as 32 binary
+bytes, or as a 40-character string encoded in the Z85 encoding format.
+The public key must always be used with the matching secret key. To
+generate a public/secret key pair, use linkzmq:zmq_curve_keypair[3].
 
 [horizontal]
 Option value type:: binary data or Z85 text string
@@ -659,7 +657,8 @@ ZMQ_CURVE_SECRETKEY: Set CURVE secret key
 Sets the socket's long term secret key. You must set this on both CURVE
 client and server sockets, see linkzmq:zmq_curve[7]. You can provide the
 key as 32 binary bytes, or as a 40-character string encoded in the Z85
-encoding format.
+encoding format. To generate a public/secret key pair, use
+linkzmq:zmq_curve_keypair[3].
 
 [horizontal]
 Option value type:: binary data or Z85 text string
@@ -674,7 +673,7 @@ ZMQ_CURVE_SERVERKEY: Set CURVE server key
 Sets the socket's long term server key. You must set this on CURVE client
 sockets, see linkzmq:zmq_curve[7]. You can provide the key as 32 binary
 bytes, or as a 40-character string encoded in the Z85 encoding format.
-This key must be the same as the public key set on the server socket.
+This key must have been generated together with the server's secret key.
 
 [horizontal]
 Option value type:: binary data or Z85 text string