6 files changed, 116 insertions, 38 deletions
diff --git a/doc/DETAILS b/doc/DETAILS
index 543ae4d96..ddf7438f5 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -58,6 +58,10 @@ record; gpg2 does this by default and the option is a dummy.
 		u = The key is ultimately valid.  This often means
 		    that the secret key is available, but any key may
 		    be marked as ultimately valid.
+                w = The key has a well known private part.
+                s = The key has special validity.  This means that it
+                    might be self-signed and expected to be used in
+                    the STEED sytem.
 
             If the validity information is given for a UID or UAT
             record, it describes the validity calculated based on this
@@ -347,6 +351,7 @@ more arguments in future versions.
            "pgp"   for the standard PGP WoT.
 	   "shell" for the standard X.509 model.
 	   "chain" for the chain model.
+           "steed" for the STEED model.
 
         Note that we use the term "TRUST_" in the status names for
         historic reasons; we now speak of validity.
@@ -1036,6 +1041,7 @@ OIDs below the GnuPG arc:
  1.3.6.1.4.1.11591.2.1.1          pkaAddress
  1.3.6.1.4.1.11591.2.2          X.509 extensions
  1.3.6.1.4.1.11591.2.2.1          standaloneCertificate
+ 1.3.6.1.4.1.11591.2.2.2          wellKnownPrivateKey
  1.3.6.1.4.1.11591.2.12242973   invalid encoded OID
 
 
diff --git a/doc/HACKING b/doc/HACKING
index d6cb8ab4c..0ef5b891d 100644
--- a/doc/HACKING
+++ b/doc/HACKING
@@ -23,7 +23,8 @@ and ChangeLog entries don't give enough of the big picture.  Omit the
 leading TABs that you're used to seeing in a "real" ChangeLog file, but
 keep the maximum line length at 72 or smaller, so that the generated
 ChangeLog lines, each with its leading TAB, will not exceed 80 columns.
-
+If you want to add text which shall not be copied to the ChangeLog,
+separate it by a line consisting of two dashes at the begin of a line.
 
 
 ===> What follows is probably out of date <===
@@ -39,15 +40,17 @@ RFCs
 
 1750  Randomness Recommendations for Security.
 
-1991  PGP Message Exchange Formats.
-
-2015  MIME Security with Pretty Good Privacy (PGP).
+1991  PGP Message Exchange Formats (obsolete)
 
 2144  The CAST-128 Encryption Algorithm.
 
 2279  UTF-8, a transformation format of ISO 10646.
 
-2440  OpenPGP.
+2440  OpenPGP (obsolete).
+
+3156  MIME Security with Pretty Good Privacy (PGP).
+
+4880  Current OpenPGP specification.
 
 
 
diff --git a/doc/com-certs.pem b/doc/com-certs.pem
index 43e93b74c..b3d5fa2c3 100644
--- a/doc/com-certs.pem
+++ b/doc/com-certs.pem
@@ -482,3 +482,21 @@ G1RRiCiWgYaEtSIDAP0V9ehpcghfJLlmMBnxSf4n7OZvkd1whvme2rXaQxnZi2qV
 d2qclY03eJ7zx6Zpq8VFuVvOxvmFZ4mMe706runhCq+rHc5x6x0/oIMhDrk=
 -----END CERTIFICATE-----
 
+Issuer ...: /CN=The STEED Self-Signing Nonthority
+Serial ...: 01
+Subject ..: /CN=The STEED Self-Signing Nonthority
+
+-----BEGIN CERTIFICATE-----
+MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFUaGUg
+U1RFRUQgU2VsZi1TaWduaW5nIE5vbnRob3JpdHkwIBcNMTExMTExMDAwMDAwWhgP
+MjEwNjAyMDYwMDAwMDBaMCwxKjAoBgNVBAMTIVRoZSBTVEVFRCBTZWxmLVNpZ25p
+bmcgTm9udGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAk2h9kqe8
+0eb8ESY7UGV6j6S5zuP5DiM4TWJ3jKG2y+D2CyA1Sl90iZ6zyN3zCB0yR1xxhpuw
+xdrwBRovRFludAbx3MeynYhzXkk0Hwn038q1oIt2YUw3Igz34s24o455ZE86JQ/6
+5dC7ppF8Z1I9KBL96NO+qZR/alVAKxYAwS8CAwEAAaNYMFYwEgYDVR0TAQH/BAgw
+BgEB/wIBATARBgorBgEEAdpHAgICBAMBAf8wHQYDVR0OBBYEFGimOJmN+rrFEOpk
+XONPloay7ffqMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQB3JwUn
+AbOdGv5ErojNSSP+yGZIy5av4wnkzK840Uj3jY6A5cuHroZGOD60hqLV2Hy0npox
+zte4phWEKWmZiXd8SCmd3MFNgZSieiixye0qxSmuqYft2j6NhEXD5xc/iTTjFT42
+SjGPLKAICuMBuGPnoozOEVlgqwaDqKOUph5sqw==
+-----END CERTIFICATE-----
diff --git a/doc/faq.org b/doc/faq.org
index ee6c0c758..a11fabebd 100644
--- a/doc/faq.org
+++ b/doc/faq.org
@@ -1167,13 +1167,8 @@ update this FAQ in the next month.  See the section "Changes" for recent updates
    :CUSTOM_ID: i-get-sed-errors-when-running-configure-on-mac-os-x
    :END:
 
-    This will be fixed after GnuPG has been upgraded to autoconf-2.50.
-    Until then, find the line setting CDPATH in the configure script
-    and place an:
-
-    : unset CDPATH
-
-    statement below it.
+    This problem has been fixed for all modern GnuPG versions.
+    (By using an autoconf 2.50 generated configure script).
 
 ** Why does GnuPG 1.0.6 bail out on keyrings used with 1.0.7?
    :PROPERTIES:
@@ -1470,6 +1465,41 @@ update this FAQ in the next month.  See the section "Changes" for recent updates
     of the listing before before starting the import.
 
 
+* Bug reporting and hacking
+  :PROPERTIES:
+  :CUSTOM_ID: bugreports-et-al
+  :END:
+
+** Copyright asssignments
+  :PROPERTIES:
+  :CUSTOM_ID: copyright-assigments
+  :END:
+
+** U.S. export restrictions
+  :PROPERTIES:
+  :CUSTOM_ID: us-export-restrictions
+  :END:
+
+GnuPG has originally been developed in Germany because we have been
+able to do that without being affected by the US export restrictions.
+We had to reject any contributions from US citizens or from people
+living the the US.  That changed by end of 2000 when the export
+restrictions were basically dropped for all kind of freely available
+software.  However there are still some requirements in the US.
+Quoting David Shaw: mail
+#+begin_quote
+For each release of GPG that I contributed to, I sent an email
+containing a pointer to the new source code to the Commerce
+Department.  The rules changed slightly in 2004, so that you could
+send a single email and then be done until the information in that
+email changed, so I just sent "www.gnupg.org" and haven't bothered
+with the email since.
+#+end_quote
+
+The rules: http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html
+The 2004 rule change: http://edocket.access.gpo.gov/2004/04-26992.htm
+
+
 * Acknowledgements
   :PROPERTIES:
   :CUSTOM_ID: acknowledgements
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 892083335..bdb03783e 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -451,10 +451,11 @@ address and the time when you verified the signature.
 @item --validation-model @var{name}
 @opindex validation-model
 This option changes the default validation model.  The only possible
-values are "shell" (which is the default) and "chain" which forces the
-use of the chain model.  The chain model is also used if an option in
-the @file{trustlist.txt} or an attribute of the certificate requests it.
-However the standard model (shell) is in that case always tried first.
+values are "shell" (which is the default), "chain" which forces the
+use of the chain model and "steed" for a new simplified model.  The
+chain model is also used if an option in the @file{trustlist.txt} or
+an attribute of the certificate requests it.  However the standard
+model (shell) is in that case always tried first.
 
 @item --ignore-cert-extension @var{oid}
 @opindex ignore-cert-extension
@@ -1042,9 +1043,9 @@ already existing key.  Key-Length will be ignored when given.
 
 @item Key-Usage: @var{usage-list}
 Space or comma delimited list of key usage, allowed values are
-@samp{encrypt} and @samp{sign}.  This is used to generate the keyUsage
-extension.  Please make sure that the algorithm is capable of this
-usage.  Default is to allow encrypt and sign.
+@samp{encrypt}, @samp{sign} and @samp{cert}.  This is used to generate
+the keyUsage extension.  Please make sure that the algorithm is
+capable of this usage.  Default is to allow encrypt and sign.
 
 @item Name-DN: @var{subject-name}
 This is the Distinguished Name (DN) of the subject in RFC-2253 format.
diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi
index 3c8427997..200fed890 100644
--- a/doc/scdaemon.texi
+++ b/doc/scdaemon.texi
@@ -21,16 +21,16 @@
 .IR dir ]
 .RB [ \-\-options
 .IR file ]
-.RI [ options ]  
-.B  \-\-server 
+.RI [ options ]
+.B  \-\-server
 .br
 .B  scdaemon
 .RB [ \-\-homedir
 .IR dir ]
 .RB [ \-\-options
 .IR file ]
-.RI [ options ]  
-.B  \-\-daemon 
+.RI [ options ]
+.B  \-\-daemon
 .RI [ command_line ]
 @end ifset
 
@@ -130,7 +130,7 @@ a numeric value or a keyword:
 @item none
 No debugging at all.  A value of less than 1 may be used instead of
 the keyword.
-@item basic  
+@item basic
 Some basic debug messages.  A value between 1 and 2 may be used
 instead of the keyword.
 @item advanced
@@ -165,8 +165,8 @@ usual C-Syntax. The currently defined bits are:
 @table @code
 @item 0  (1)
 command I/O
-@item 1  (2)  
-values of big number integers 
+@item 1  (2)
+values of big number integers
 @item 2  (4)
 low level crypto operations
 @item 5  (32)
@@ -178,9 +178,11 @@ show memory statistics.
 @item 9  (512)
 write hashed data to files named @code{dbgmd-000*}
 @item 10 (1024)
-trace Assuan protocol
+trace Assuan protocol.  See also option @option{--debug-assuan-log-cats}.
 @item 11 (2048)
 trace APDU I/O to the card.  This may reveal sensitive data.
+@item 12 (4096)
+trace some card reader related function calls.
 @end table
 
 @item --debug-all
@@ -215,6 +217,15 @@ dump.  This options enables it and also changes the working directory to
 @opindex debug-log-tid
 This option appends a thread ID to the PID in the log output.
 
+@item --debug-assuan-log-cats @var{cats}
+@opindex debug-assuan-log-cats
+Changes the active Libassuan logging categories to @var{cats}.  The
+value for @var{cats} is an unsigned integer given in usual C-Syntax.
+A value of of 0 switches to a default category.  If this option is not
+used the categories are taken from the environment variable
+@samp{ASSUAN_DEBUG}.  Note that this option has only an effect if the
+Assuan debug flag has also been with the option @option{--debug}.  For
+a list of categories see the Libassuan manual.
 
 @item --no-detach
 @opindex no-detach
@@ -240,7 +251,7 @@ Use @var{library} to access the smartcard reader.  The current default
 is @file{libtowitoko.so}.  Note that the use of this interface is
 deprecated; it may be removed in future releases.
 
-@item --disable-ccid 
+@item --disable-ccid
 @opindex disable-ccid
 Disable the integrated support for CCID compliant readers.  This
 allows to fall back to one of the other drivers even if the internal
@@ -318,6 +329,7 @@ stripping off the two leading dashes.
 * DINSIG Card::           The DINSIG card application
 * PKCS#15 Card::          The PKCS#15 card application
 * Geldkarte Card::        The Geldkarte application
+* Undefined Card::        The Undefined stub application
 @end menu
 
 @node OpenPGP Card
@@ -325,7 +337,7 @@ stripping off the two leading dashes.
 
 This application is currently only used by @command{gpg} but may in
 future also be useful with @command{gpgsm}.  Version 1 and version 2 of
-the card is supported. 
+the card is supported.
 
 The specifications for these cards are available at
 @uref{http://g10code.com/docs/openpgp-card-1.0.pdf} and
@@ -358,6 +370,14 @@ This is a simple application to display information of a German
 Geldkarte.  The Geldkarte is a small amount debit card application which
 comes with almost all German banking cards.
 
+@node Undefined Card
+@subsection The Undefined card application ``undefined''
+
+This is a stub application to allow the use of the APDU command even
+if no supported application is found on the card.  This application is
+not used automatically but must be explicitly requested using the
+SERIALNO command.
+
 
 @c *******************************************
 @c ***************            ****************
@@ -395,7 +415,7 @@ about reader status changes.  Its use is now deprecated in favor of
 @end table
 
 
-@c 
+@c
 @c  Examples
 @c
 @mansect examples
@@ -410,7 +430,7 @@ $ scdaemon --server -v
 
 @c man end
 
-@c 
+@c
 @c  Assuan Protocol
 @c
 @manpause
@@ -447,7 +467,7 @@ synchronizing access to a token between sessions.
 * Scdaemon APDU::         Send a verbatim APDU to the card
 @end menu
 
-@node Scdaemon SERIALNO 
+@node Scdaemon SERIALNO
 @subsection Return the serial number
 
 This command should be used to check for the presence of a card.  It is
@@ -470,7 +490,7 @@ Return the serial number of the card using a status response like:
 @end example
 
 The trailing 0 should be ignored for now, it is reserved for a future
-extension.  The serial number is the hex encoded value identified by 
+extension.  The serial number is the hex encoded value identified by
 the @code{0x5A} tag in the GDO file (FIX=0x2F02).
 
 
@@ -522,7 +542,7 @@ READKEY @var{hexified_certid}
 @end example
 
 Return the public key for the given cert or key ID as an standard
-S-Expression. 
+S-Expression.
 
 
 
@@ -619,7 +639,7 @@ TO BE WRITTEN.
 @example
    PASSWD [--reset] [--nullpin] @var{chvno}
 @end example
-  
+
 Change the PIN or reset the retry counter of the card holder
 verification vector number @var{chvno}.  The option @option{--nullpin}
 is used to initialize the PIN of TCOS cards (6 byte NullPIN only).
@@ -663,11 +683,11 @@ and only if the retry counter is still at 3.
 
 Restart the current connection; this is a kind of warm reset.  It
 deletes the context used by this connection but does not actually
-reset the card. 
+reset the card.
 
 This is used by gpg-agent to reuse a primary pipe connection and
 may be used by clients to backup from a conflict in the serial
-command; i.e. to select another application. 
+command; i.e. to select another application.
 
 
 
@@ -704,7 +724,7 @@ length up to N bytes.  If N is not given a default value is used
 @mansect see also
 @ifset isman
 @command{gpg-agent}(1),
-@command{gpgsm}(1), 
+@command{gpgsm}(1),
 @command{gpg2}(1)
 @end ifset
 @include see-also-note.texi