clean up intro

author: Christian Grothoff <christian@grothoff.org> 2021-07-18 09:21:10 +0200
committer: Christian Grothoff <christian@grothoff.org> 2021-07-18 09:21:10 +0200
commit: 1a15895d1307896a71d2e3158baa3ba851315233 (patch)
tree: 1aaa21b8d77cc5d3364f13f1556d7f9831abd77c /doc
parent: 88ed9ae73a4191a5374f44cbd6b3e2aeeb7b2b12 (diff)
download: anastasis-1a15895d1307896a71d2e3158baa3ba851315233.tar.gz
anastasis-1a15895d1307896a71d2e3158baa3ba851315233.tar.bz2
anastasis-1a15895d1307896a71d2e3158baa3ba851315233.zip
3 files changed, 278 insertions, 195 deletions
diff --git a/doc/anastasis.texi b/doc/anastasis.texi
index 466adaf..d5de311 100644
--- a/doc/anastasis.texi
+++ b/doc/anastasis.texi
@@ -64,7 +64,33 @@ Copyright @copyright{} 2020-2021 Anastasis SARL (AGPLv3+ or GFDL 1.3+)
 @c 
 @c @author Christian Grothoff
 
-The system will be based on free software and open protocols.
+Anastasis is Free Software protocol and implementation that allows
+users to securely deposit @strong{core secrets} with an open set of escrow
+providers and to recover these secrets if their original copies are
+lost.
+
+Anastasis is intended for users that want to make backups of key
+material, such as OpenPGP encryption keys, hard disk encryption keys
+or master keys of electronic wallets. Anastasis is NOT intended to
+store large amounts of secret data, it is only designed to safeguard
+key material.
+
+Anastasis solves the issue of keeping key material both available
+to the authorized user(s), and confidential from anyone else.
+
+With Anastasis, the @strong{core secrets} are protected from the Anastasis
+escrow providers by encrypting each with a @strong{master key}.  The
+@strong{master key} can be split and distributed across the escrow
+providers to ensure that no single escrow provider can recover the
+@strong{master key} on its own.  Which subset(s) of Anastasis providers
+must be contacted to recover a @strong{master key} is freely configurable.
+
+With Anastasis, users can reliably recover their @strong{core secret},
+while Anastasis makes this difficult for everyone else.  This is even
+true if the user is unable to reliably remember any secret with
+sufficiently high entropy: Anastasis does not simply reduce the
+problem to encrypting the @strong{core secret} using some other key
+material in possession of the user.
 
 @menu
 * Documentation Overview:: 
@@ -88,6 +114,12 @@ Documentation Overview
 * Complete Index:: 
 * GNU Free Documentation License:: 
 
+Introduction
+
+* User Identifiers:: 
+* Adversary models:: 
+* The recovery document:: 
+
 Installation
 
 * Installing from source:: 
@@ -349,14 +381,21 @@ GNU Free Documentation License
 @section Introduction
 
 
-Anastasis is a service that allows the user to securely deposit a
-@strong{core secret} with an open set of escrow providers and recover it if the secret is
-lost.  The @strong{core secret} itself is protected from the escrow providers by
-encrypting it with a @strong{master key}.  The main objective of Anastasis is to
-ensure that the user can reliably recover the @strong{core secret}, while making
-this difficult for everyone else.  Furthermore, it is assumed that the user is
-unable to reliably remember any secret with sufficiently high entropy, so we
-cannot simply encrypt using some other key material in possession of the user.
+To understand how Anastasis works, you need to understand three key
+concepts: user identifiers, our adversary model and the role of the
+recovery document.
+
+@menu
+* User Identifiers:: 
+* Adversary models:: 
+* The recovery document:: 
+
+@end menu
+
+@node User Identifiers,Adversary models,,Introduction
+@anchor{introduction user-identifiers}@anchor{5}
+@subsection User Identifiers
+
 
 To uniquely identify users, an “unforgettable” @strong{identifier} is used.  This
 identifier should be difficult to guess for anybody but the user. However, the
@@ -365,6 +404,11 @@ cryptographically secure. Examples for such identifier would be a
 concatenation of the full name of the user and their social security or
 passport number(s).  For Swiss citizens, the AHV number could also be used.
 
+@node Adversary models,The recovery document,User Identifiers,Introduction
+@anchor{introduction adversary-models}@anchor{6}
+@subsection Adversary models
+
+
 The adversary model of Anastasis has two types of adversaries: weak
 adversaries which do not know the user’s @strong{identifier}, and strong
 adversaries which somehow do know a user’s @strong{identifier}.  For weak
@@ -375,6 +419,11 @@ escrow providers must have colluded.  The user is able to specify a set of
 collude to break confidentiality. These policies also set the bar for the user
 to recover their core secret.
 
+@node The recovery document,,Adversary models,Introduction
+@anchor{introduction the-recovery-document}@anchor{7}
+@subsection The recovery document
+
+
 A @strong{recovery document} includes all of the information a user needs to
 recover access to their core secret.  It specifies a set of @strong{escrow
 methods}, which specify how the user should convince the Anastasis server
@@ -416,7 +465,7 @@ may be exposed to an adversary which monitors the user’s network traffic).
 @c @author Dennis Neufeld
 
 @node Installation,Configuration,Introduction,Documentation Overview
-@anchor{installation doc}@anchor{5}@anchor{installation installation}@anchor{6}
+@anchor{installation doc}@anchor{8}@anchor{installation installation}@anchor{9}
 @section Installation
 
 
@@ -477,7 +526,7 @@ and should just be installed using the respective package manager.
 @end menu
 
 @node Installing from source,Installing Anastasis binary packages on Debian,,Installation
-@anchor{installation installing-from-source}@anchor{7}
+@anchor{installation installing-from-source}@anchor{a}
 @subsection Installing from source
 
 
@@ -495,7 +544,7 @@ the GNU Taler exchange from source.
 @end menu
 
 @node Installing GNUnet,Installing the Taler Exchange,,Installing from source
-@anchor{installation installing-gnunet}@anchor{8}
+@anchor{installation installing-gnunet}@anchor{b}
 @subsubsection Installing GNUnet
 
 
@@ -522,7 +571,7 @@ shared object libraries (@code{.so} files)
 visible to the various installed programs.
 
 @node Installing the Taler Exchange,Installing the Taler Merchant,Installing GNUnet,Installing from source
-@anchor{installation installing-the-taler-exchange}@anchor{9}
+@anchor{installation installing-the-taler-exchange}@anchor{c}
 @subsubsection Installing the Taler Exchange
 
 
@@ -544,7 +593,7 @@ which requires you to run the last step as @code{root}.  You have to specify
 previous step.
 
 @node Installing the Taler Merchant,Installing Anastasis,Installing the Taler Exchange,Installing from source
-@anchor{installation installing-the-taler-merchant}@anchor{a}
+@anchor{installation installing-the-taler-merchant}@anchor{d}
 @subsubsection Installing the Taler Merchant
 
 
@@ -589,7 +638,7 @@ find the installed libraries and launching the Taler merchant backend would
 then fail.
 
 @node Installing Anastasis,Installing GNUnet-gtk,Installing the Taler Merchant,Installing from source
-@anchor{installation installing-anastasis}@anchor{b}
+@anchor{installation installing-anastasis}@anchor{e}
 @subsubsection Installing Anastasis
 
 
@@ -625,7 +674,7 @@ find the installed libraries and launching the Anastasis backend would
 then fail.
 
 @node Installing GNUnet-gtk,Installing Anastasis-gtk,Installing Anastasis,Installing from source
-@anchor{installation installing-gnunet-gtk}@anchor{c}
+@anchor{installation installing-gnunet-gtk}@anchor{f}
 @subsubsection Installing GNUnet-gtk
 
 
@@ -659,7 +708,7 @@ step, it is possible that the linker may not find the installed libraries and
 launching gnunet-gtk would then fail.
 
 @node Installing Anastasis-gtk,,Installing GNUnet-gtk,Installing from source
-@anchor{installation installing-anastasis-gtk}@anchor{d}
+@anchor{installation installing-anastasis-gtk}@anchor{10}
 @subsubsection Installing Anastasis-gtk
 
 
@@ -696,7 +745,7 @@ run @code{ldconfig}. Without this step, it is possible that the linker may not
 find the installed libraries and launching anastasis-gtk would then fail.
 
 @node Installing Anastasis binary packages on Debian,Installing Anastasis binary packages on Ubuntu,Installing from source,Installation
-@anchor{installation installing-anastasis-binary-packages-on-debian}@anchor{e}
+@anchor{installation installing-anastasis-binary-packages-on-debian}@anchor{11}
 @subsection Installing Anastasis binary packages on Debian
 
 
@@ -769,7 +818,7 @@ using apt.
 @end menu
 
 @node Installing the graphical front-end,Installing the backend,,Installing Anastasis binary packages on Debian
-@anchor{installation installing-the-graphical-front-end}@anchor{f}
+@anchor{installation installing-the-graphical-front-end}@anchor{12}
 @subsubsection Installing the graphical front-end
 
 
@@ -786,7 +835,7 @@ $ anastasis-gtk
 @end example
 
 @node Installing the backend,,Installing the graphical front-end,Installing Anastasis binary packages on Debian
-@anchor{installation installing-the-backend}@anchor{10}
+@anchor{installation installing-the-backend}@anchor{13}
 @subsubsection Installing the backend
 
 
@@ -819,7 +868,7 @@ need to install a Taler merchant backend via:
 @end example
 
 @node Installing Anastasis binary packages on Ubuntu,,Installing Anastasis binary packages on Debian,Installation
-@anchor{installation installing-anastasis-binary-packages-on-ubuntu}@anchor{11}
+@anchor{installation installing-anastasis-binary-packages-on-ubuntu}@anchor{14}
 @subsection Installing Anastasis binary packages on Ubuntu
 
 
@@ -860,7 +909,7 @@ using apt.
 @end menu
 
 @node Installing the graphical front-end<2>,Installing the backend<2>,,Installing Anastasis binary packages on Ubuntu
-@anchor{installation id1}@anchor{12}
+@anchor{installation id1}@anchor{15}
 @subsubsection Installing the graphical front-end
 
 
@@ -877,7 +926,7 @@ $ anastasis-gtk
 @end example
 
 @node Installing the backend<2>,,Installing the graphical front-end<2>,Installing Anastasis binary packages on Ubuntu
-@anchor{installation id2}@anchor{13}
+@anchor{installation id2}@anchor{16}
 @subsubsection Installing the backend
 
 
@@ -923,7 +972,7 @@ need to install a Taler merchant backend via:
 @c @author Dennis Neufeld
 
 @node Configuration,Cryptography,Installation,Documentation Overview
-@anchor{configuration doc}@anchor{14}@anchor{configuration configuration}@anchor{15}
+@anchor{configuration doc}@anchor{17}@anchor{configuration configuration}@anchor{18}
 @section Configuration
 
 
@@ -938,7 +987,7 @@ configuration format.
 @end menu
 
 @node Configuration format,Using anastasis-config,,Configuration
-@anchor{configuration configuration-format}@anchor{16}
+@anchor{configuration configuration-format}@anchor{19}
 @subsection Configuration format
 
 
@@ -1013,7 +1062,7 @@ merchant needs to know an exchange URL, or a database name.
 @end quotation
 
 @node Using anastasis-config,,Configuration format,Configuration
-@anchor{configuration using-anastasis-config}@anchor{17}
+@anchor{configuration using-anastasis-config}@anchor{1a}
 @subsection Using anastasis-config
 
 
@@ -1084,7 +1133,7 @@ option.
 @c @author Dennis Neufeld
 
 @node Cryptography,REST API,Configuration,Documentation Overview
-@anchor{cryptography doc}@anchor{18}@anchor{cryptography cryptography}@anchor{19}
+@anchor{cryptography doc}@anchor{1b}@anchor{cryptography cryptography}@anchor{1c}
 @section Cryptography
 
 
@@ -1131,7 +1180,7 @@ encrypted @strong{core secret}, a set of escrow methods and a set of policies.
 @end menu
 
 @node Key derivations,Key Usage,,Cryptography
-@anchor{cryptography key-derivations}@anchor{1a}
+@anchor{cryptography key-derivations}@anchor{1d}
 @subsection Key derivations
 
 
@@ -1174,7 +1223,7 @@ kdf_id := Argon2( identifier, server_salt, keysize )
 @end menu
 
 @node Verification,Encryption,,Key derivations
-@anchor{cryptography verification}@anchor{1b}
+@anchor{cryptography verification}@anchor{1e}
 @subsubsection Verification
 
 
@@ -1218,7 +1267,7 @@ digest[31] &= 0xf8;
 @strong{eddsa_pub}: The generated EdDSA public key.
 
 @node Encryption,,Verification,Key derivations
-@anchor{cryptography encryption}@anchor{1c}
+@anchor{cryptography encryption}@anchor{1f}
 @subsubsection Encryption
 
 
@@ -1249,7 +1298,7 @@ avoid key reuse. So, we have to use different nonces to get different keys and I
 @strong{iv}: IV which will be used for AES-GCM.
 
 @node Key Usage,Availability Considerations,Key derivations,Cryptography
-@anchor{cryptography key-usage}@anchor{1d}
+@anchor{cryptography key-usage}@anchor{20}
 @subsection Key Usage
 
 
@@ -1263,7 +1312,7 @@ the @strong{key_share} of the user.
 @end menu
 
 @node Encryption<2>,Signatures,,Key Usage
-@anchor{cryptography id1}@anchor{1e}
+@anchor{cryptography id1}@anchor{21}
 @subsubsection Encryption
 
 
@@ -1320,7 +1369,7 @@ ekss := HKDF("Anastasis-secure-question-uuid-salting",
 @strong{ekss}: Replacement salt to be used instead of “eks” when deriving the key to encrypt/decrypt the key share.
 
 @node Signatures,,Encryption<2>,Key Usage
-@anchor{cryptography signatures}@anchor{1f}
+@anchor{cryptography signatures}@anchor{22}
 @subsubsection Signatures
 
 
@@ -1353,7 +1402,7 @@ ver_res := eddsa_verifiy(version, anastasis-account-signature, eddsa_pub)
 @strong{ver_res}: A boolean value. True: Signature verification passed, False: Signature verification failed.
 
 @node Availability Considerations,,Key Usage,Cryptography
-@anchor{cryptography availability-considerations}@anchor{20}
+@anchor{cryptography availability-considerations}@anchor{23}
 @subsection Availability Considerations
 
 
@@ -1401,7 +1450,7 @@ capacity.
 @c @author Dennis Neufeld
 
 @node REST API,Reducer API,Cryptography,Documentation Overview
-@anchor{rest doc}@anchor{21}@anchor{rest rest-api}@anchor{22}
+@anchor{rest doc}@anchor{24}@anchor{rest rest-api}@anchor{25}
 @section REST API
 
 
@@ -1430,7 +1479,7 @@ capacity.
 @end menu
 
 @node HTTP Request and Response,Protocol Version Ranges,,REST API
-@anchor{rest http-common}@anchor{23}@anchor{rest http-request-and-response}@anchor{24}
+@anchor{rest http-common}@anchor{26}@anchor{rest http-request-and-response}@anchor{27}
 @subsection HTTP Request and Response
 
 
@@ -1440,7 +1489,7 @@ theoretically fail to receive any response.  In this case, the client should
 verify that the Internet connection is working properly, and then proceed to
 handle the error as if an internal error (500) had been returned.
 
-@anchor{rest any--*}@anchor{25}
+@anchor{rest any--*}@anchor{28}
 @deffn {HTTP Any} ANY /*
 
 @strong{Request:}
@@ -1495,7 +1544,7 @@ within 24h.
 @end table
 
 Unless specified otherwise, all error status codes (4xx and 5xx) have a message
-body with an @ref{26,,ErrorDetail} JSON object.
+body with an @ref{29,,ErrorDetail} JSON object.
 
 @strong{Details:}
 
@@ -1515,7 +1564,7 @@ interface ErrorDetail @{
 @end deffn
 
 @node Protocol Version Ranges,Common encodings,HTTP Request and Response,REST API
-@anchor{rest protocol-version-ranges}@anchor{27}
+@anchor{rest protocol-version-ranges}@anchor{2a}
 @subsection Protocol Version Ranges
 
 
@@ -1600,7 +1649,7 @@ to decide whether it will talk to the service.
 @end cartouche
 
 @node Common encodings,,Protocol Version Ranges,REST API
-@anchor{rest common-encodings}@anchor{28}@anchor{rest encodings-ref}@anchor{29}
+@anchor{rest common-encodings}@anchor{2b}@anchor{rest encodings-ref}@anchor{2c}
 @subsection Common encodings
 
 
@@ -1627,7 +1676,7 @@ This section describes how certain types of values are represented throughout th
 @end menu
 
 @node Binary Data,Hash codes,,Common encodings
-@anchor{rest base32}@anchor{2a}@anchor{rest binary-data}@anchor{2b}
+@anchor{rest base32}@anchor{2d}@anchor{rest binary-data}@anchor{2e}
 @subsubsection Binary Data
 
 
@@ -1642,12 +1691,12 @@ type “base32” and the term “Crockford Base32” in the text to refer to th
 resulting encoding.
 
 @node Hash codes,Large numbers,Binary Data,Common encodings
-@anchor{rest hash-codes}@anchor{2c}
+@anchor{rest hash-codes}@anchor{2f}
 @subsubsection Hash codes
 
 
 Hash codes are strings representing base32 encoding of the respective
-hashed data. See @ref{2a,,base32}.
+hashed data. See @ref{2d,,base32}.
 
 @example
 // 64-byte hash code.
@@ -1660,7 +1709,7 @@ type ShortHashCode = string;
 @end example
 
 @node Large numbers,Timestamps,Hash codes,Common encodings
-@anchor{rest large-numbers}@anchor{2d}
+@anchor{rest large-numbers}@anchor{30}
 @subsubsection Large numbers
 
 
@@ -1668,7 +1717,7 @@ Large numbers such as 256 bit keys, are transmitted as other binary data in
 Crockford Base32 encoding.
 
 @node Timestamps,Integers,Large numbers,Common encodings
-@anchor{rest timestamps}@anchor{2e}
+@anchor{rest timestamps}@anchor{31}
 @subsubsection Timestamps
 
 
@@ -1692,7 +1741,7 @@ interface Duration @{
 @end example
 
 @node Integers,Objects,Timestamps,Common encodings
-@anchor{rest integers}@anchor{2f}@anchor{rest publickey}@anchor{30}
+@anchor{rest integers}@anchor{32}@anchor{rest publickey}@anchor{33}
 @subsubsection Integers
 
 
@@ -1702,7 +1751,7 @@ type Integer = number;
 @end example
 
 @node Objects,Keys,Integers,Common encodings
-@anchor{rest objects}@anchor{31}
+@anchor{rest objects}@anchor{34}
 @subsubsection Objects
 
 
@@ -1712,7 +1761,7 @@ type Object = object;
 @end example
 
 @node Keys,Signatures<2>,Objects,Common encodings
-@anchor{rest keys}@anchor{32}
+@anchor{rest keys}@anchor{35}
 @subsubsection Keys
 
 
@@ -1731,7 +1780,7 @@ type EddsaPrivateKey = string;
 @end example
 
 @node Signatures<2>,Amounts,Keys,Common encodings
-@anchor{rest signature}@anchor{33}@anchor{rest signatures}@anchor{34}
+@anchor{rest signature}@anchor{36}@anchor{rest signatures}@anchor{37}
 @subsubsection Signatures
 
 
@@ -1742,7 +1791,7 @@ type EddsaSignature = string;
 @end example
 
 @node Amounts,Time,Signatures<2>,Common encodings
-@anchor{rest amount}@anchor{35}@anchor{rest amounts}@anchor{36}
+@anchor{rest amount}@anchor{38}@anchor{rest amounts}@anchor{39}
 @subsubsection Amounts
 
 
@@ -1781,7 +1830,7 @@ An amount that is prefixed with a @code{+} or @code{-} character is also used in
 When no sign is present, the amount is assumed to be positive.
 
 @node Time,Cryptographic primitives,Amounts,Common encodings
-@anchor{rest time}@anchor{37}
+@anchor{rest time}@anchor{3a}
 @subsubsection Time
 
 
@@ -1798,7 +1847,7 @@ struct GNUNET_TIME_AbsoluteNBO @{
 @end example
 
 @node Cryptographic primitives,Signatures<3>,Time,Common encodings
-@anchor{rest cryptographic-primitives}@anchor{38}
+@anchor{rest cryptographic-primitives}@anchor{3b}
 @subsubsection Cryptographic primitives
 
 
@@ -1811,7 +1860,7 @@ struct GNUNET_HashCode @{
   uint8_t hash[64];      // usually SHA-512
 @};
 @end example
-@anchor{rest taler-ecdhephemeralpublickeyp}@anchor{39}
+@anchor{rest taler-ecdhephemeralpublickeyp}@anchor{3c}
 @example
 struct TALER_EcdhEphemeralPublicKeyP @{
   uint8_t ecdh_pub[32];
@@ -1825,7 +1874,7 @@ struct UUID @{
 @end example
 
 @node Signatures<3>,Receiving Configuration,Cryptographic primitives,Common encodings
-@anchor{rest id1}@anchor{3a}@anchor{rest id2}@anchor{3b}
+@anchor{rest id1}@anchor{3d}@anchor{rest id2}@anchor{3e}
 @subsubsection Signatures
 
 
@@ -1859,21 +1908,21 @@ struct GNUNET_CRYPTO_EccSignaturePurpose @{
   uint32_t size;
 @};
 @end example
-@anchor{rest salt}@anchor{3c}
+@anchor{rest salt}@anchor{3f}
 @node Receiving Configuration,Receiving Terms of Service,Signatures<3>,Common encodings
-@anchor{rest config}@anchor{3d}@anchor{rest receiving-configuration}@anchor{3e}
+@anchor{rest config}@anchor{40}@anchor{rest receiving-configuration}@anchor{41}
 @subsubsection Receiving Configuration
 
 
-@anchor{rest get--config}@anchor{3f}
+@anchor{rest get--config}@anchor{42}
 @deffn {HTTP Get} GET /config
 
 Obtain the configuration details of the escrow provider.
 
 @strong{Response:}
 
-Returns an @ref{40,,EscrowConfigurationResponse}.
-@anchor{rest escrowconfigurationresponse}@anchor{40}
+Returns an @ref{43,,EscrowConfigurationResponse}.
+@anchor{rest escrowconfigurationresponse}@anchor{43}
 @example
 interface EscrowConfigurationResponse @{
 
@@ -1915,7 +1964,7 @@ interface EscrowConfigurationResponse @{
 
 @}
 @end example
-@anchor{rest authorizationmethodconfig}@anchor{41}
+@anchor{rest authorizationmethodconfig}@anchor{44}
 @example
 interface AuthorizationMethodConfig @{
   // Name of the authorization method.
@@ -1929,11 +1978,11 @@ interface AuthorizationMethodConfig @{
 @end deffn
 
 @node Receiving Terms of Service,Manage policy,Receiving Configuration,Common encodings
-@anchor{rest receiving-terms-of-service}@anchor{42}@anchor{rest terms}@anchor{43}
+@anchor{rest receiving-terms-of-service}@anchor{45}@anchor{rest terms}@anchor{46}
 @subsubsection Receiving Terms of Service
 
 
-@anchor{rest get--terms}@anchor{44}
+@anchor{rest get--terms}@anchor{47}
 @deffn {HTTP Get} GET /terms
 
 Obtain the terms of service provided by the escrow provider.
@@ -1944,7 +1993,7 @@ Returns the terms of service of the provider, in the best language
 and format available based on the client’s request.
 @end deffn
 
-@anchor{rest get--privacy}@anchor{45}
+@anchor{rest get--privacy}@anchor{48}
 @deffn {HTTP Get} GET /privacy
 
 Obtain the privacy policy of the service provided by the escrow provider.
@@ -1956,7 +2005,7 @@ and format available based on the client’s request.
 @end deffn
 
 @node Manage policy,Managing truth,Receiving Terms of Service,Common encodings
-@anchor{rest id3}@anchor{46}@anchor{rest manage-policy}@anchor{47}
+@anchor{rest id3}@anchor{49}@anchor{rest manage-policy}@anchor{4a}
 @subsubsection Manage policy
 
 
@@ -1971,7 +2020,7 @@ public key using the Crockford base32-encoding.
 
 In the following, UUID is always defined and used according to RFC 4122@footnote{https://tools.ietf.org/html/rfc4122}.
 
-@anchor{rest get--policy-$ACCOUNT_PUB[?version=$NUMBER]}@anchor{48}
+@anchor{rest get--policy-$ACCOUNT_PUB[?version=$NUMBER]}@anchor{4b}
 @deffn {HTTP Get} GET /policy/$ACCOUNT_PUB[?version=$NUMBER]
 
 Get the customer’s encrypted recovery document.  If @code{version}
@@ -2007,7 +2056,7 @@ code in case the resource matches the provided Etag.
 
 @item 200 OK@footnote{http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1}:
 
-The escrow provider responds with an @ref{49,,EncryptedRecoveryDocument} object.
+The escrow provider responds with an @ref{4c,,EncryptedRecoveryDocument} object.
 
 @item 304 Not modified@footnote{http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5}:
 
@@ -2033,7 +2082,7 @@ The requested resource was not found.
 
 @emph{Anastasis-Version}: $NUMBER — The server must return actual version of the encrypted recovery document via this header.
 If the client specified a version number in the header of the request, the server must return that version. If the client
-did not specify a version in the request, the server returns latest version of the @ref{49,,EncryptedRecoveryDocument}.
+did not specify a version in the request, the server returns latest version of the @ref{4c,,EncryptedRecoveryDocument}.
 
 @emph{Etag}: Set by the server to the Base32-encoded SHA512 hash of the body. Used for caching and to prevent redundancies. The server MUST send the Etag if the status code is @code{200 OK}.
 
@@ -2043,7 +2092,7 @@ The client SHOULD send this header with every request (except for the first requ
 @emph{Anastasis-Account-Signature}: The client must provide Base-32 encoded EdDSA signature over hash of body with @code{$ACCOUNT_PRIV}, affirming desire to download the requested encrypted recovery document.  The purpose used MUST be @code{TALER_SIGNATURE_ANASTASIS_POLICY_DOWNLOAD} (1401).
 @end deffn
 
-@anchor{rest post--policy-$ACCOUNT_PUB}@anchor{4a}
+@anchor{rest post--policy-$ACCOUNT_PUB}@anchor{4d}
 @deffn {HTTP Post} POST /policy/$ACCOUNT_PUB
 
 Upload a new version of the customer’s encrypted recovery document.
@@ -2129,7 +2178,7 @@ The upload is too large @emph{or} too small. The response body may elaborate on
 @end table
 
 @strong{Details:}
-@anchor{rest encryptedrecoverydocument}@anchor{49}
+@anchor{rest encryptedrecoverydocument}@anchor{4c}
 @example
 interface EncryptedRecoveryDocument @{
   // Nonce used to compute the (iv,key) pair for encryption of the
@@ -2147,7 +2196,7 @@ interface EncryptedRecoveryDocument @{
 
 @}
 @end example
-@anchor{rest recoverydocument}@anchor{4b}
+@anchor{rest recoverydocument}@anchor{4e}
 @example
 interface RecoveryDocument @{
   // Account identifier at backup provider, AES-encrypted with
@@ -2165,7 +2214,7 @@ interface RecoveryDocument @{
 
 @}
 @end example
-@anchor{rest escrowmethod}@anchor{4c}
+@anchor{rest escrowmethod}@anchor{4f}
 @example
 interface EscrowMethod @{
   // URL of the escrow provider (including possibly this Anastasis server).
@@ -2197,7 +2246,7 @@ interface EscrowMethod @{
 
 @}
 @end example
-@anchor{rest decryptionpolicy}@anchor{4d}
+@anchor{rest decryptionpolicy}@anchor{50}
 @example
 interface DecryptionPolicy @{
   // Salt included to encrypt master key share when
@@ -2217,7 +2266,7 @@ interface DecryptionPolicy @{
 @end deffn
 
 @node Managing truth,,Manage policy,Common encodings
-@anchor{rest managing-truth}@anchor{4e}@anchor{rest truth}@anchor{4f}
+@anchor{rest managing-truth}@anchor{51}@anchor{rest truth}@anchor{52}
 @subsubsection Managing truth
 
 
@@ -2232,10 +2281,10 @@ data required for such a respective escrow method.
 An Anastasis-server may store truth for free for a certain time period, or
 charge per truth operation using GNU Taler.
 
-@anchor{rest post--truth-$UUID}@anchor{50}
+@anchor{rest post--truth-$UUID}@anchor{53}
 @deffn {HTTP Post} POST /truth/$UUID
 
-Upload a @ref{51,,TruthUploadRequest}-Object according to the policy the client created before (see @ref{4b,,RecoveryDocument}).
+Upload a @ref{54,,TruthUploadRequest}-Object according to the policy the client created before (see @ref{4e,,RecoveryDocument}).
 If request has been seen before, the server should do nothing, and otherwise store the new object.
 
 @strong{Request:}
@@ -2284,7 +2333,7 @@ The selected authentication method is not supported on this provider.
 @end table
 
 @strong{Details:}
-@anchor{rest truthuploadrequest}@anchor{51}
+@anchor{rest truthuploadrequest}@anchor{54}
 @example
 interface TruthUploadRequest @{
   // Contains the information of an interface `EncryptedKeyShare`, but simply
@@ -2321,11 +2370,11 @@ interface TruthUploadRequest @{
 @end example
 @end deffn
 
-@anchor{rest get--truth-$UUID[?response=$H_RESPONSE]}@anchor{52}
+@anchor{rest get--truth-$UUID[?response=$H_RESPONSE]}@anchor{55}
 @deffn {HTTP Get} GET /truth/$UUID[?response=$H_RESPONSE]
 
 Get the stored encrypted key share. If @code{$H_RESPONSE} is specified by the client, the server checks
-if @code{$H_RESPONSE} matches the expected response specified before within the @ref{51,,TruthUploadRequest} (see @code{encrypted_truth}).
+if @code{$H_RESPONSE} matches the expected response specified before within the @ref{54,,TruthUploadRequest} (see @code{encrypted_truth}).
 Also, the user has to provide the correct @emph{truth_encryption_key} with every get request (see below).
 When @code{$H_RESPONSE} is correct, the server responds with the encrypted key share.
 The encrypted key share is returned simply as a byte array and not in JSON format.
@@ -2337,7 +2386,7 @@ The encrypted key share is returned simply as a byte array and not in JSON forma
 
 @item 200 OK@footnote{http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1}:
 
-@ref{53,,EncryptedKeyShare} is returned in body (in binary).
+@ref{56,,EncryptedKeyShare} is returned in body (in binary).
 
 @item 202 Accepted@footnote{http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.3}:
 
@@ -2386,11 +2435,11 @@ an e-mail address for sending an E-mail is not a valid e-mail address.
 Server is out of Service.
 @end table
 
-@emph{Truth-Decryption-Key}: Key used to encrypt the @strong{truth} (see encrypted_truth within @ref{51,,TruthUploadRequest}) and which has to provided by the user. The key is stored with
-the according @ref{4c,,EscrowMethod}. The server needs this key to get the info out of @ref{51,,TruthUploadRequest} needed to verify the @code{$RESPONSE}.
+@emph{Truth-Decryption-Key}: Key used to encrypt the @strong{truth} (see encrypted_truth within @ref{54,,TruthUploadRequest}) and which has to provided by the user. The key is stored with
+the according @ref{4f,,EscrowMethod}. The server needs this key to get the info out of @ref{54,,TruthUploadRequest} needed to verify the @code{$RESPONSE}.
 
 @strong{Details:}
-@anchor{rest encryptedkeyshare}@anchor{53}
+@anchor{rest encryptedkeyshare}@anchor{56}
 @example
 interface EncryptedKeyShare @{
   // Nonce used to compute the decryption (iv,key) pair.
@@ -2414,7 +2463,7 @@ interface EncryptedKeyShare @{
 
 @}
 @end example
-@anchor{rest keyshare}@anchor{54}
+@anchor{rest keyshare}@anchor{57}
 @example
 interface KeyShare @{
   // Key material to concatenate with policy_salt and KDF to derive
@@ -2447,13 +2496,13 @@ interface KeyShare @{
 @c @author Dennis Neufeld
 
 @node Reducer API,Authentication Methods,REST API,Documentation Overview
-@anchor{reducer doc}@anchor{55}@anchor{reducer reducer-api}@anchor{56}
+@anchor{reducer doc}@anchor{58}@anchor{reducer reducer-api}@anchor{59}
 @section Reducer API
 
 
 This section describes the Anastasis Reducer API which is used by client applications
 to store or load the different states the client application can have.
-The reducer takes a @ref{57,,state} in JSON syntax and returns the new state in JSON syntax.
+The reducer takes a @ref{5a,,state} in JSON syntax and returns the new state in JSON syntax.
 
 For example a @strong{state} may take the following structure:
 
@@ -2467,7 +2516,7 @@ For example a @strong{state} may take the following structure:
 @}
 @end example
 
-The new state depends on the previous one and on the transition @ref{58,,action} with its
+The new state depends on the previous one and on the transition @ref{5b,,action} with its
 arguments given to the reducer. A @strong{transition argument} also is a statement in JSON syntax:
 
 @example
@@ -2477,7 +2526,7 @@ arguments given to the reducer. A @strong{transition argument} also is a stateme
 @end example
 
 The new state returned by the reducer with the state and transition argument defined
-above would look like following for the transition @ref{58,,action} @code{select_continent}:
+above would look like following for the transition @ref{5b,,action} @code{select_continent}:
 
 @example
 @{
@@ -2528,7 +2577,7 @@ above would look like following for the transition @ref{58,,action} @code{select
 @end menu
 
 @node States,Backup Reducer,,Reducer API
-@anchor{reducer states}@anchor{59}
+@anchor{reducer states}@anchor{5c}
 @subsection States
 
 
@@ -2663,10 +2712,10 @@ in FINISHED-states, the operation has definitively concluded.
 @end quotation
 
 @node Backup Reducer,Recovery Reducer,States,Reducer API
-@anchor{reducer backup-reducer}@anchor{5a}
+@anchor{reducer backup-reducer}@anchor{5d}
 @subsection Backup Reducer
 
-@anchor{reducer state}@anchor{57}@anchor{reducer action}@anchor{58}
+@anchor{reducer state}@anchor{5a}@anchor{reducer action}@anchor{5b}
 
 @float Figure
 
@@ -2681,7 +2730,7 @@ The illustration above shows the different states the reducer can have during a
 process.
 
 @node Recovery Reducer,Reducer transitions,Backup Reducer,Reducer API
-@anchor{reducer recovery-reducer}@anchor{5b}
+@anchor{reducer recovery-reducer}@anchor{5e}
 @subsection Recovery Reducer
 
 
@@ -2699,7 +2748,7 @@ The illustration above shows the different states the reducer can have during a
 process.
 
 @node Reducer transitions,,Recovery Reducer,Reducer API
-@anchor{reducer reducer-transitions}@anchor{5c}
+@anchor{reducer reducer-transitions}@anchor{5f}
 @subsection Reducer transitions
 
 
@@ -2716,7 +2765,7 @@ state is preserved to enable “back” transitions to function smoothly.
 @end menu
 
 @node Initial state,Common transitions,,Reducer transitions
-@anchor{reducer initial-state}@anchor{5d}
+@anchor{reducer initial-state}@anchor{60}
 @subsubsection Initial state
 
 
@@ -2779,7 +2828,7 @@ continent names:
 Translations must be given in the same order as the main English array.
 
 @node Common transitions,Backup transitions,Initial state,Reducer transitions
-@anchor{reducer common-transitions}@anchor{5e}
+@anchor{reducer common-transitions}@anchor{61}
 @subsubsection Common transitions
 
 
@@ -3160,7 +3209,7 @@ port 8888 was now added:
 @end example
 
 @node Backup transitions,Recovery transitions,Common transitions,Reducer transitions
-@anchor{reducer backup-transitions}@anchor{5f}
+@anchor{reducer backup-transitions}@anchor{62}
 @subsubsection Backup transitions
 
 
@@ -3843,7 +3892,7 @@ In the above example, 52 would thus imply that the Anastasis provider failed to
 store information into its database.
 
 @node Recovery transitions,,Backup transitions,Reducer transitions
-@anchor{reducer recovery-transitions}@anchor{60}
+@anchor{reducer recovery-transitions}@anchor{63}
 @subsubsection Recovery transitions
 
 
@@ -4320,7 +4369,7 @@ formats are:
 @c @author Dennis Neufeld
 
 @node Authentication Methods,DB Schema,Reducer API,Documentation Overview
-@anchor{authentication doc}@anchor{61}@anchor{authentication anastasis-auth-methods}@anchor{62}@anchor{authentication authentication-methods}@anchor{63}
+@anchor{authentication doc}@anchor{64}@anchor{authentication anastasis-auth-methods}@anchor{65}@anchor{authentication authentication-methods}@anchor{66}
 @section Authentication Methods
 
 
@@ -4348,29 +4397,29 @@ maximum permissible frequency.
 @end menu
 
 @node SMS sms,Email verification email,,Authentication Methods
-@anchor{authentication sms-sms}@anchor{64}
+@anchor{authentication sms-sms}@anchor{67}
 @subsection SMS (sms)
 
 
 Sends an SMS with a code (prefixed with @code{A-}) to the user’s phone, including
 a UUID which identifies the challenge the code is for.  The user must send
-this code back with his request (see @code{$RESPONSE} under @ref{4f,,Managing truth}).
+this code back with his request (see @code{$RESPONSE} under @ref{52,,Managing truth}).
 If the transmitted code is correct, the server responses with the requested
 encrypted key share.
 
 @node Email verification email,Video identification vid,SMS sms,Authentication Methods
-@anchor{authentication email-verification-email}@anchor{65}
+@anchor{authentication email-verification-email}@anchor{68}
 @subsection Email verification (email)
 
 
 Sends an email with a code (prefixed with @code{A-}) to the user’s mail address,
 including a UUID which identifies the challenge the code is for.  The user
-must send this code back with his request (see @code{$RESPONSE} under @ref{4f,,Managing truth}).
+must send this code back with his request (see @code{$RESPONSE} under @ref{52,,Managing truth}).
 If the transmitted code is correct, the server responses with the
 requested encrypted key share.
 
 @node Video identification vid,Security question qa,Email verification email,Authentication Methods
-@anchor{authentication video-identification-vid}@anchor{66}
+@anchor{authentication video-identification-vid}@anchor{69}
 @subsection Video identification (vid)
 
 
@@ -4388,7 +4437,7 @@ requesting the user to be redirected to a Web site (or other URL) for the
 video-call.
 
 @node Security question qa,Snail mail verification post,Video identification vid,Authentication Methods
-@anchor{authentication security-question-qa}@anchor{67}
+@anchor{authentication security-question-qa}@anchor{6a}
 @subsection Security question (qa)
 
 
@@ -4411,14 +4460,14 @@ remains irrecoverable without the answer even if the Anastasis provider
 storing the security question is malicious.
 
 @node Snail mail verification post,,Security question qa,Authentication Methods
-@anchor{authentication snail-mail-verification-post}@anchor{68}
+@anchor{authentication snail-mail-verification-post}@anchor{6b}
 @subsection Snail mail verification (post)
 
 
 Sends physical mail (snail mail) with a code (prefixed with @code{A-}) to the
 user’s mail address, including a UUID which identifies the challenge the code
 is for.  The user must send this code back with their request (see
-@code{$RESPONSE} under @ref{4f,,Managing truth}).  If the transmitted code is correct,
+@code{$RESPONSE} under @ref{52,,Managing truth}).  If the transmitted code is correct,
 the server responds with the requested encrypted key share.
 
 @c This file is part of Anastasis
@@ -4440,7 +4489,7 @@ the server responds with the requested encrypted key share.
 @c @author Dennis Neufeld
 
 @node DB Schema,Design Documents,Authentication Methods,Documentation Overview
-@anchor{db doc}@anchor{69}@anchor{db db-schema}@anchor{6a}
+@anchor{db doc}@anchor{6c}@anchor{db db-schema}@anchor{6d}
 @section DB Schema
 
 
@@ -4455,7 +4504,7 @@ the server responds with the requested encrypted key share.
 @image{anastasis-figures/anastasis_truth_payment,,,,png}
 
 @node Design Documents,Anastasis licensing information,DB Schema,Documentation Overview
-@anchor{design-documents/index doc}@anchor{6b}@anchor{design-documents/index design-documents}@anchor{6c}
+@anchor{design-documents/index doc}@anchor{6e}@anchor{design-documents/index design-documents}@anchor{6f}
 @section Design Documents
 
 
@@ -4471,7 +4520,7 @@ and protocol.
 @end menu
 
 @node Design Doc 001 Anastasis User Experience,Template,,Design Documents
-@anchor{design-documents/001-anastasis-ux doc}@anchor{6d}@anchor{design-documents/001-anastasis-ux design-doc-001-anastasis-user-experience}@anchor{6e}
+@anchor{design-documents/001-anastasis-ux doc}@anchor{70}@anchor{design-documents/001-anastasis-ux design-doc-001-anastasis-user-experience}@anchor{71}
 @subsection Design Doc 001: Anastasis User Experience
 
 
@@ -4485,7 +4534,7 @@ and protocol.
 @end menu
 
 @node Summary,Motivation,,Design Doc 001 Anastasis User Experience
-@anchor{design-documents/001-anastasis-ux summary}@anchor{6f}
+@anchor{design-documents/001-anastasis-ux summary}@anchor{72}
 @subsubsection Summary
 
 
@@ -4493,7 +4542,7 @@ This document describes the recommended way of implementing the user experience
 of setting up and making use of @ref{3,,Introduction} account recovery.
 
 @node Motivation,Setup Steps,Summary,Design Doc 001 Anastasis User Experience
-@anchor{design-documents/001-anastasis-ux motivation}@anchor{70}
+@anchor{design-documents/001-anastasis-ux motivation}@anchor{73}
 @subsubsection Motivation
 
 
@@ -4505,7 +4554,7 @@ even if all devices and offline secrets have been lost.
 Access to the backup key is shared with escrow providers that can be chosen by the user.
 
 @node Setup Steps,Show Service Status After Setup,Motivation,Design Doc 001 Anastasis User Experience
-@anchor{design-documents/001-anastasis-ux setup-steps}@anchor{71}
+@anchor{design-documents/001-anastasis-ux setup-steps}@anchor{74}
 @subsubsection Setup Steps
 
 @image{graphviz-2d8d83202d2b7835498d2a5c18fa9e3cc05c4b6a,,,[graphviz],png}
@@ -4521,7 +4570,7 @@ Access to the backup key is shared with escrow providers that can be chosen by t
 @end menu
 
 @node Entry point Settings,Providing Identification,,Setup Steps
-@anchor{design-documents/001-anastasis-ux entry-point-settings}@anchor{72}
+@anchor{design-documents/001-anastasis-ux entry-point-settings}@anchor{75}
 @subsubsection Entry point: Settings
 
 
@@ -4539,7 +4588,7 @@ maybe be integrated into the backup settings.
 @image{anastasis-figures/backupsettings,,,,png}
 
 @node Providing Identification,Add Authentication Methods,Entry point Settings,Setup Steps
-@anchor{design-documents/001-anastasis-ux providing-identification}@anchor{73}
+@anchor{design-documents/001-anastasis-ux providing-identification}@anchor{76}
 @subsubsection Providing Identification
 
 
@@ -4570,12 +4619,12 @@ country of the SIM card.  But nothing invasive like the actual GPS location.
 @image{anastasis-figures/userid,,,,png}
 
 @node Add Authentication Methods,Confirm/Change Service Providers,Providing Identification,Setup Steps
-@anchor{design-documents/001-anastasis-ux add-authentication-methods}@anchor{74}
+@anchor{design-documents/001-anastasis-ux add-authentication-methods}@anchor{77}
 @subsubsection Add Authentication Methods
 
 
 After creating a unique identifier, the user can chose one or more
-@ref{62,,Authentication Methods} supported by Anastasis.
+@ref{65,,Authentication Methods} supported by Anastasis.
 
 When selecting a method, the user is already asked to provide the information
 required for the recovery with that method.  For example, a photo of
@@ -4592,7 +4641,7 @@ sane values (phone number, e-mail addresses, country of residence).
 @image{anastasis-figures/addtruthmail,,,,png}
 
 @node Confirm/Change Service Providers,Defining Recovery Options,Add Authentication Methods,Setup Steps
-@anchor{design-documents/001-anastasis-ux confirm-change-service-providers}@anchor{75}
+@anchor{design-documents/001-anastasis-ux confirm-change-service-providers}@anchor{78}
 @subsubsection Confirm/Change Service Providers
 
 
@@ -4608,7 +4657,7 @@ default list provided by the wallet.
 @image{anastasis-figures/addpolicymethod,,,,png}
 
 @node Defining Recovery Options,Pay for Setup,Confirm/Change Service Providers,Setup Steps
-@anchor{design-documents/001-anastasis-ux defining-recovery-options}@anchor{76}
+@anchor{design-documents/001-anastasis-ux defining-recovery-options}@anchor{79}
 @subsubsection Defining Recovery Options
 
 
@@ -4631,7 +4680,7 @@ should get updated with each user action affecting those costs such as
 when the user reconfigures the policies.
 
 @node Pay for Setup,,Defining Recovery Options,Setup Steps
-@anchor{design-documents/001-anastasis-ux pay-for-setup}@anchor{77}
+@anchor{design-documents/001-anastasis-ux pay-for-setup}@anchor{7a}
 @subsubsection Pay for Setup
 
 
@@ -4640,14 +4689,14 @@ asked to pay for the service with the regular wallet payment confirmation
 screen.
 
 @node Show Service Status After Setup,Recovery Steps,Setup Steps,Design Doc 001 Anastasis User Experience
-@anchor{design-documents/001-anastasis-ux show-service-status-after-setup}@anchor{78}
+@anchor{design-documents/001-anastasis-ux show-service-status-after-setup}@anchor{7b}
 @subsubsection Show Service Status After Setup
 
 
 TODO
 
 @node Recovery Steps,,Show Service Status After Setup,Design Doc 001 Anastasis User Experience
-@anchor{design-documents/001-anastasis-ux recovery-steps}@anchor{79}
+@anchor{design-documents/001-anastasis-ux recovery-steps}@anchor{7c}
 @subsubsection Recovery Steps
 
 @image{graphviz-834e5a93329dec2ccdefd2a21bdfb5a02bad1c84,,,[graphviz],png}
@@ -4663,7 +4712,7 @@ TODO
 @end menu
 
 @node Entry point Settings<2>,Providing Identification<2>,,Recovery Steps
-@anchor{design-documents/001-anastasis-ux id1}@anchor{7a}
+@anchor{design-documents/001-anastasis-ux id1}@anchor{7d}
 @subsubsection Entry point: Settings
 
 
@@ -4681,7 +4730,7 @@ checkpoint instead of from the beginning.
 @image{anastasis-figures/backupsettings,,,,png}
 
 @node Providing Identification<2>,Select Authentication Challenge,Entry point Settings<2>,Recovery Steps
-@anchor{design-documents/001-anastasis-ux id2}@anchor{7b}
+@anchor{design-documents/001-anastasis-ux id2}@anchor{7e}
 @subsubsection Providing Identification
 
 
@@ -4692,7 +4741,7 @@ and then to provide country-specific inputs for identification.
 @image{anastasis-figures/userid,,,,png}
 
 @node Select Authentication Challenge,Payment,Providing Identification<2>,Recovery Steps
-@anchor{design-documents/001-anastasis-ux select-authentication-challenge}@anchor{7c}
+@anchor{design-documents/001-anastasis-ux select-authentication-challenge}@anchor{7f}
 @subsubsection Select Authentication Challenge
 
 
@@ -4711,7 +4760,7 @@ When selecting a challenge, the user may be asked to confirm making a payment
 for this challenge if the provider requires payment.
 
 @node Payment,Enter Challenge Response,Select Authentication Challenge,Recovery Steps
-@anchor{design-documents/001-anastasis-ux payment}@anchor{7d}
+@anchor{design-documents/001-anastasis-ux payment}@anchor{80}
 @subsubsection Payment
 
 
@@ -4724,7 +4773,7 @@ used – except of course if the security question challenge is free of
 charge).
 
 @node Enter Challenge Response,Success,Payment,Recovery Steps
-@anchor{design-documents/001-anastasis-ux enter-challenge-response}@anchor{7e}
+@anchor{design-documents/001-anastasis-ux enter-challenge-response}@anchor{81}
 @subsubsection Enter Challenge Response
 
 
@@ -4735,7 +4784,7 @@ numeric code, or the full code with the @code{A-} prefix (or ideally, the user
 cannot delete the pre-filled @code{A-} text).
 
 @node Success,,Enter Challenge Response,Recovery Steps
-@anchor{design-documents/001-anastasis-ux success}@anchor{7f}
+@anchor{design-documents/001-anastasis-ux success}@anchor{82}
 @subsubsection Success
 
 
@@ -4744,7 +4793,7 @@ as part of a separate screen, or simply with a notification bar in the
 main wallet screen.
 
 @node Template,,Design Doc 001 Anastasis User Experience,Design Documents
-@anchor{design-documents/999-template doc}@anchor{80}@anchor{design-documents/999-template template}@anchor{81}
+@anchor{design-documents/999-template doc}@anchor{83}@anchor{design-documents/999-template template}@anchor{84}
 @subsection Template
 
 
@@ -4760,44 +4809,44 @@ main wallet screen.
 @end menu
 
 @node Summary<2>,Motivation<2>,,Template
-@anchor{design-documents/999-template summary}@anchor{82}
+@anchor{design-documents/999-template summary}@anchor{85}
 @subsubsection Summary
 
 
 @node Motivation<2>,Requirements,Summary<2>,Template
-@anchor{design-documents/999-template motivation}@anchor{83}
+@anchor{design-documents/999-template motivation}@anchor{86}
 @subsubsection Motivation
 
 
 @node Requirements,Proposed Solution,Motivation<2>,Template
-@anchor{design-documents/999-template requirements}@anchor{84}
+@anchor{design-documents/999-template requirements}@anchor{87}
 @subsubsection Requirements
 
 
 @node Proposed Solution,Alternatives,Requirements,Template
-@anchor{design-documents/999-template proposed-solution}@anchor{85}
+@anchor{design-documents/999-template proposed-solution}@anchor{88}
 @subsubsection Proposed Solution
 
 
 @node Alternatives,Drawbacks,Proposed Solution,Template
-@anchor{design-documents/999-template alternatives}@anchor{86}
+@anchor{design-documents/999-template alternatives}@anchor{89}
 @subsubsection Alternatives
 
 
 @node Drawbacks,Discussion / Q&A,Alternatives,Template
-@anchor{design-documents/999-template drawbacks}@anchor{87}
+@anchor{design-documents/999-template drawbacks}@anchor{8a}
 @subsubsection Drawbacks
 
 
 @node Discussion / Q&A,,Drawbacks,Template
-@anchor{design-documents/999-template discussion-q-a}@anchor{88}
+@anchor{design-documents/999-template discussion-q-a}@anchor{8b}
 @subsubsection Discussion / Q&A
 
 
 (This should be filled in with results from discussions on mailing lists / personal communication.)
 
 @node Anastasis licensing information,Man Pages,Design Documents,Documentation Overview
-@anchor{global-licensing doc}@anchor{89}@anchor{global-licensing anastasis-licensing-information}@anchor{8a}
+@anchor{global-licensing doc}@anchor{8c}@anchor{global-licensing anastasis-licensing-information}@anchor{8d}
 @section Anastasis licensing information
 
 
@@ -4819,7 +4868,7 @@ GPL.
 @end menu
 
 @node Anastasis git //git taler net/anastasis,Anastasis-gtk git //git taler net/anastasis-gtk,,Anastasis licensing information
-@anchor{global-licensing anastasis-git-git-taler-net-anastasis}@anchor{8b}@anchor{global-licensing exchange-repo}@anchor{8c}
+@anchor{global-licensing anastasis-git-git-taler-net-anastasis}@anchor{8e}@anchor{global-licensing exchange-repo}@anchor{8f}
 @subsection Anastasis (git://git.taler.net/anastasis)
 
 
@@ -4831,7 +4880,7 @@ Anastasis core logic is under AGPL.
 @end menu
 
 @node Runtime dependencies,,,Anastasis git //git taler net/anastasis
-@anchor{global-licensing runtime-dependencies}@anchor{8d}
+@anchor{global-licensing runtime-dependencies}@anchor{90}
 @subsubsection Runtime dependencies
 
 
@@ -4861,7 +4910,7 @@ GNU Taler: LGPLv3+ / GPLv3+ / AGPLv3+: owned by Taler Systems SA
 @end itemize
 
 @node Anastasis-gtk git //git taler net/anastasis-gtk,Documentation,Anastasis git //git taler net/anastasis,Anastasis licensing information
-@anchor{global-licensing anastasis-gtk-git-git-taler-net-anastasis-gtk}@anchor{8e}
+@anchor{global-licensing anastasis-gtk-git-git-taler-net-anastasis-gtk}@anchor{91}
 @subsection Anastasis-gtk (git://git.taler.net/anastasis-gtk)
 
 
@@ -4873,7 +4922,7 @@ Anastasis-gtk is under AGPL.
 @end menu
 
 @node Runtime dependencies<2>,,,Anastasis-gtk git //git taler net/anastasis-gtk
-@anchor{global-licensing id1}@anchor{8f}
+@anchor{global-licensing id1}@anchor{92}
 @subsubsection Runtime dependencies
 
 
@@ -4906,14 +4955,14 @@ GNU Taler: LGPLv3+ / GPLv3+ / AGPLv3+: owned by Taler Systems SA
 @end itemize
 
 @node Documentation,,Anastasis-gtk git //git taler net/anastasis-gtk,Anastasis licensing information
-@anchor{global-licensing documentation}@anchor{90}
+@anchor{global-licensing documentation}@anchor{93}
 @subsection Documentation
 
 
 The documentation is licensed under the GNU Free Documentation License Version 1.3 or later.
 
 @node Man Pages,Complete Index,Anastasis licensing information,Documentation Overview
-@anchor{manindex doc}@anchor{91}@anchor{manindex man-pages}@anchor{92}
+@anchor{manindex doc}@anchor{94}@anchor{manindex man-pages}@anchor{95}
 @section Man Pages
 
 
@@ -4927,7 +4976,7 @@ The documentation is licensed under the GNU Free Documentation License Version 1
 @end menu
 
 @node anastasis-config 1,anastasis-gtk 1,,Man Pages
-@anchor{manpages/anastasis-config 1 doc}@anchor{93}@anchor{manpages/anastasis-config 1 anastasis-config-1}@anchor{94}
+@anchor{manpages/anastasis-config 1 doc}@anchor{96}@anchor{manpages/anastasis-config 1 anastasis-config-1}@anchor{97}
 @subsection anastasis-config(1)
 
 
@@ -4941,7 +4990,7 @@ The documentation is licensed under the GNU Free Documentation License Version 1
 @end menu
 
 @node Synopsis,Description,,anastasis-config 1
-@anchor{manpages/anastasis-config 1 synopsis}@anchor{95}
+@anchor{manpages/anastasis-config 1 synopsis}@anchor{98}
 @subsubsection Synopsis
 
 
@@ -4961,7 +5010,7 @@ The documentation is licensed under the GNU Free Documentation License Version 1
 [@strong{-v} | @strong{––version}]
 
 @node Description,See Also,Synopsis,anastasis-config 1
-@anchor{manpages/anastasis-config 1 description}@anchor{96}
+@anchor{manpages/anastasis-config 1 description}@anchor{99}
 @subsubsection Description
 
 
@@ -5045,14 +5094,14 @@ Print Anastasis version number.
 @end table
 
 @node See Also,Bugs,Description,anastasis-config 1
-@anchor{manpages/anastasis-config 1 see-also}@anchor{97}
+@anchor{manpages/anastasis-config 1 see-also}@anchor{9a}
 @subsubsection See Also
 
 
 anastasis.conf(5)
 
 @node Bugs,,See Also,anastasis-config 1
-@anchor{manpages/anastasis-config 1 bugs}@anchor{98}
+@anchor{manpages/anastasis-config 1 bugs}@anchor{9b}
 @subsubsection Bugs
 
 
@@ -5060,7 +5109,7 @@ Report bugs by using @indicateurl{https://bugs.anastasis.lu} or by sending elect
 mail to <@email{contact@@anastasis.lu}>.
 
 @node anastasis-gtk 1,anastasis-httpd 1,anastasis-config 1,Man Pages
-@anchor{manpages/anastasis-gtk 1 doc}@anchor{99}@anchor{manpages/anastasis-gtk 1 anastasis-gtk-1}@anchor{9a}
+@anchor{manpages/anastasis-gtk 1 doc}@anchor{9c}@anchor{manpages/anastasis-gtk 1 anastasis-gtk-1}@anchor{9d}
 @subsection anastasis-gtk(1)
 
 
@@ -5074,7 +5123,7 @@ mail to <@email{contact@@anastasis.lu}>.
 @end menu
 
 @node Synopsis<2>,Description<2>,,anastasis-gtk 1
-@anchor{manpages/anastasis-gtk 1 synopsis}@anchor{9b}
+@anchor{manpages/anastasis-gtk 1 synopsis}@anchor{9e}
 @subsubsection Synopsis
 
 
@@ -5086,7 +5135,7 @@ mail to <@email{contact@@anastasis.lu}>.
 [@strong{-v} | @strong{––version}]
 
 @node Description<2>,See Also<2>,Synopsis<2>,anastasis-gtk 1
-@anchor{manpages/anastasis-gtk 1 description}@anchor{9c}
+@anchor{manpages/anastasis-gtk 1 description}@anchor{9f}
 @subsubsection Description
 
 
@@ -5119,14 +5168,14 @@ Print version information.
 @end table
 
 @node See Also<2>,Bugs<2>,Description<2>,anastasis-gtk 1
-@anchor{manpages/anastasis-gtk 1 see-also}@anchor{9d}
+@anchor{manpages/anastasis-gtk 1 see-also}@anchor{a0}
 @subsubsection See Also
 
 
 anastasis-reducer(1), anastasis-httpd(1), anastasis.conf(5).
 
 @node Bugs<2>,,See Also<2>,anastasis-gtk 1
-@anchor{manpages/anastasis-gtk 1 bugs}@anchor{9e}
+@anchor{manpages/anastasis-gtk 1 bugs}@anchor{a1}
 @subsubsection Bugs
 
 
@@ -5134,7 +5183,7 @@ Report bugs by using @indicateurl{https://bugs.anastasis.lu/} or by sending elec
 mail to <@email{contact@@anastasis.lu}>.
 
 @node anastasis-httpd 1,anastasis-reducer 1,anastasis-gtk 1,Man Pages
-@anchor{manpages/anastasis-httpd 1 doc}@anchor{9f}@anchor{manpages/anastasis-httpd 1 anastasis-httpd-1}@anchor{a0}
+@anchor{manpages/anastasis-httpd 1 doc}@anchor{a2}@anchor{manpages/anastasis-httpd 1 anastasis-httpd-1}@anchor{a3}
 @subsection anastasis-httpd(1)
 
 
@@ -5149,14 +5198,14 @@ mail to <@email{contact@@anastasis.lu}>.
 @end menu
 
 @node Synopsis<3>,Description<3>,,anastasis-httpd 1
-@anchor{manpages/anastasis-httpd 1 synopsis}@anchor{a1}
+@anchor{manpages/anastasis-httpd 1 synopsis}@anchor{a4}
 @subsubsection Synopsis
 
 
 @strong{anastasis-httpd}
 
 @node Description<3>,Signals,Synopsis<3>,anastasis-httpd 1
-@anchor{manpages/anastasis-httpd 1 description}@anchor{a2}
+@anchor{manpages/anastasis-httpd 1 description}@anchor{a5}
 @subsubsection Description
 
 
@@ -5188,7 +5237,7 @@ Print version information.
 @end table
 
 @node Signals,See also,Description<3>,anastasis-httpd 1
-@anchor{manpages/anastasis-httpd 1 signals}@anchor{a3}
+@anchor{manpages/anastasis-httpd 1 signals}@anchor{a6}
 @subsubsection Signals
 
 
@@ -5203,14 +5252,14 @@ Sending a SIGTERM to the process will cause it to shutdown cleanly.
 @end table
 
 @node See also,Bugs<3>,Signals,anastasis-httpd 1
-@anchor{manpages/anastasis-httpd 1 see-also}@anchor{a4}
+@anchor{manpages/anastasis-httpd 1 see-also}@anchor{a7}
 @subsubsection See also
 
 
 anastasis-dbinit(1), anastasis-config(1), anastasis-gtk(1), anastasis-reducer(1)
 
 @node Bugs<3>,,See also,anastasis-httpd 1
-@anchor{manpages/anastasis-httpd 1 bugs}@anchor{a5}
+@anchor{manpages/anastasis-httpd 1 bugs}@anchor{a8}
 @subsubsection Bugs
 
 
@@ -5218,7 +5267,7 @@ Report bugs by using @indicateurl{https://bugs.anastasis.lu} or by sending
 electronic mail to <@email{contact@@anastasis.lu}>.
 
 @node anastasis-reducer 1,anastasis conf 5,anastasis-httpd 1,Man Pages
-@anchor{manpages/anastasis-reducer 1 doc}@anchor{a6}@anchor{manpages/anastasis-reducer 1 anastasis-reducer-1}@anchor{a7}
+@anchor{manpages/anastasis-reducer 1 doc}@anchor{a9}@anchor{manpages/anastasis-reducer 1 anastasis-reducer-1}@anchor{aa}
 @subsection anastasis-reducer(1)
 
 
@@ -5232,7 +5281,7 @@ electronic mail to <@email{contact@@anastasis.lu}>.
 @end menu
 
 @node Synopsis<4>,Description<4>,,anastasis-reducer 1
-@anchor{manpages/anastasis-reducer 1 synopsis}@anchor{a8}
+@anchor{manpages/anastasis-reducer 1 synopsis}@anchor{ab}
 @subsubsection Synopsis
 
 
@@ -5247,7 +5296,7 @@ electronic mail to <@email{contact@@anastasis.lu}>.
 [@strong{-v} | @strong{––version}] COMMAND
 
 @node Description<4>,See Also<3>,Synopsis<4>,anastasis-reducer 1
-@anchor{manpages/anastasis-reducer 1 description}@anchor{a9}
+@anchor{manpages/anastasis-reducer 1 description}@anchor{ac}
 @subsubsection Description
 
 
@@ -5257,7 +5306,7 @@ The reducer will read the current state from standard input and
 write the resulting state to standard output.  A COMMAND must
 be given on the command line.  The arguments (if any) are to
 be given in JSON format to the @strong{-a} option.  A list of
-commands can be found in the @ref{55,,Reducer API}
+commands can be found in the @ref{58,,Reducer API}
 chapter.
 
 
@@ -5298,14 +5347,14 @@ Print version information.
 @end table
 
 @node See Also<3>,Bugs<4>,Description<4>,anastasis-reducer 1
-@anchor{manpages/anastasis-reducer 1 see-also}@anchor{aa}
+@anchor{manpages/anastasis-reducer 1 see-also}@anchor{ad}
 @subsubsection See Also
 
 
 anastasis-gtk(1), anastasis-httpd(1), anastasis.conf(5).
 
 @node Bugs<4>,,See Also<3>,anastasis-reducer 1
-@anchor{manpages/anastasis-reducer 1 bugs}@anchor{ab}
+@anchor{manpages/anastasis-reducer 1 bugs}@anchor{ae}
 @subsubsection Bugs
 
 
@@ -5313,7 +5362,7 @@ Report bugs by using @indicateurl{https://bugs.anastasis.lu/} or by sending elec
 mail to <@email{contact@@anastasis.lu}>.
 
 @node anastasis conf 5,,anastasis-reducer 1,Man Pages
-@anchor{manpages/anastasis conf 5 doc}@anchor{ac}@anchor{manpages/anastasis conf 5 anastasis-conf-5}@anchor{ad}
+@anchor{manpages/anastasis conf 5 doc}@anchor{af}@anchor{manpages/anastasis conf 5 anastasis-conf-5}@anchor{b0}
 @subsection anastasis.conf(5)
 
 
@@ -5326,7 +5375,7 @@ mail to <@email{contact@@anastasis.lu}>.
 @end menu
 
 @node Description<5>,SEE ALSO,,anastasis conf 5
-@anchor{manpages/anastasis conf 5 description}@anchor{ae}
+@anchor{manpages/anastasis conf 5 description}@anchor{b1}
 @subsubsection Description
 
 
@@ -5380,7 +5429,7 @@ include the entirety of @code{sub.conf} at that point in @code{main.conf}.
 @end menu
 
 @node GLOBAL OPTIONS,Authorization options,,Description<5>
-@anchor{manpages/anastasis conf 5 global-options}@anchor{af}
+@anchor{manpages/anastasis conf 5 global-options}@anchor{b2}
 @subsubsection GLOBAL OPTIONS
 
 
@@ -5430,7 +5479,7 @@ TCP port on which the HTTP service should listen on.
 @end table
 
 @node Authorization options,Postgres database configuration,GLOBAL OPTIONS,Description<5>
-@anchor{manpages/anastasis conf 5 authorization-options}@anchor{b0}
+@anchor{manpages/anastasis conf 5 authorization-options}@anchor{b3}
 @subsubsection Authorization options
 
 
@@ -5456,7 +5505,7 @@ Helper command to run (only relevant for some plugins).
 @end table
 
 @node Postgres database configuration,,Authorization options,Description<5>
-@anchor{manpages/anastasis conf 5 postgres-database-configuration}@anchor{b1}
+@anchor{manpages/anastasis conf 5 postgres-database-configuration}@anchor{b4}
 @subsubsection Postgres database configuration
 
 
@@ -5474,14 +5523,14 @@ should use, i.e. @code{postgres://anastasis}.
 @end table
 
 @node SEE ALSO,BUGS,Description<5>,anastasis conf 5
-@anchor{manpages/anastasis conf 5 see-also}@anchor{b2}
+@anchor{manpages/anastasis conf 5 see-also}@anchor{b5}
 @subsubsection SEE ALSO
 
 
 anastasis-httpd(1), anastasis-config(1)
 
 @node BUGS,,SEE ALSO,anastasis conf 5
-@anchor{manpages/anastasis conf 5 bugs}@anchor{b3}
+@anchor{manpages/anastasis conf 5 bugs}@anchor{b6}
 @subsubsection BUGS
 
 
@@ -5489,12 +5538,12 @@ Report bugs by using @indicateurl{https://bugs.anastasis.lu/} or by sending elec
 mail to <@email{contact@@anastasis.lu}>.
 
 @node Complete Index,GNU Free Documentation License,Man Pages,Documentation Overview
-@anchor{genindex doc}@anchor{b4}@anchor{genindex complete-index}@anchor{b5}
+@anchor{genindex doc}@anchor{b7}@anchor{genindex complete-index}@anchor{b8}
 @section Complete Index
 
 
 @node GNU Free Documentation License,,Complete Index,Documentation Overview
-@anchor{fdl-1 3 doc}@anchor{b6}@anchor{fdl-1 3 gnu-fdl-1-3}@anchor{b7}@anchor{fdl-1 3 gnu-free-documentation-license}@anchor{b8}
+@anchor{fdl-1 3 doc}@anchor{b9}@anchor{fdl-1 3 gnu-fdl-1-3}@anchor{ba}@anchor{fdl-1 3 gnu-free-documentation-license}@anchor{bb}
 @section GNU Free Documentation License
 
 
@@ -5524,7 +5573,7 @@ license document, but changing it is not allowed.
 @end menu
 
 @node 0 PREAMBLE,1 APPLICABILITY AND DEFINITIONS,,GNU Free Documentation License
-@anchor{fdl-1 3 preamble}@anchor{b9}
+@anchor{fdl-1 3 preamble}@anchor{bc}
 @subsection 0. PREAMBLE
 
 
@@ -5550,7 +5599,7 @@ published as a printed book. We recommend this License principally for
 works whose purpose is instruction or reference.
 
 @node 1 APPLICABILITY AND DEFINITIONS,2 VERBATIM COPYING,0 PREAMBLE,GNU Free Documentation License
-@anchor{fdl-1 3 applicability-and-definitions}@anchor{ba}
+@anchor{fdl-1 3 applicability-and-definitions}@anchor{bd}
 @subsection 1. APPLICABILITY AND DEFINITIONS
 
 
@@ -5640,7 +5689,7 @@ these Warranty Disclaimers may have is void and has no effect on the
 meaning of this License.
 
 @node 2 VERBATIM COPYING,3 COPYING IN QUANTITY,1 APPLICABILITY AND DEFINITIONS,GNU Free Documentation License
-@anchor{fdl-1 3 verbatim-copying}@anchor{bb}
+@anchor{fdl-1 3 verbatim-copying}@anchor{be}
 @subsection 2. VERBATIM COPYING
 
 
@@ -5658,7 +5707,7 @@ You may also lend copies, under the same conditions stated above, and
 you may publicly display copies.
 
 @node 3 COPYING IN QUANTITY,4 MODIFICATIONS,2 VERBATIM COPYING,GNU Free Documentation License
-@anchor{fdl-1 3 copying-in-quantity}@anchor{bc}
+@anchor{fdl-1 3 copying-in-quantity}@anchor{bf}
 @subsection 3. COPYING IN QUANTITY
 
 
@@ -5698,7 +5747,7 @@ Document well before redistributing any large number of copies, to give
 them a chance to provide you with an updated version of the Document.
 
 @node 4 MODIFICATIONS,5 COMBINING DOCUMENTS,3 COPYING IN QUANTITY,GNU Free Documentation License
-@anchor{fdl-1 3 modifications}@anchor{bd}
+@anchor{fdl-1 3 modifications}@anchor{c0}
 @subsection 4. MODIFICATIONS
 
 
@@ -5834,7 +5883,7 @@ give permission to use their names for publicity for or to assert or
 imply endorsement of any Modified Version.
 
 @node 5 COMBINING DOCUMENTS,6 COLLECTIONS OF DOCUMENTS,4 MODIFICATIONS,GNU Free Documentation License
-@anchor{fdl-1 3 combining-documents}@anchor{be}
+@anchor{fdl-1 3 combining-documents}@anchor{c1}
 @subsection 5. COMBINING DOCUMENTS
 
 
@@ -5861,7 +5910,7 @@ sections Entitled “Dedications”. You must delete all sections Entitled
 “Endorsements”.
 
 @node 6 COLLECTIONS OF DOCUMENTS,7 AGGREGATION WITH INDEPENDENT WORKS,5 COMBINING DOCUMENTS,GNU Free Documentation License
-@anchor{fdl-1 3 collections-of-documents}@anchor{bf}
+@anchor{fdl-1 3 collections-of-documents}@anchor{c2}
 @subsection 6. COLLECTIONS OF DOCUMENTS
 
 
@@ -5877,7 +5926,7 @@ License into the extracted document, and follow this License in all
 other respects regarding verbatim copying of that document.
 
 @node 7 AGGREGATION WITH INDEPENDENT WORKS,8 TRANSLATION,6 COLLECTIONS OF DOCUMENTS,GNU Free Documentation License
-@anchor{fdl-1 3 aggregation-with-independent-works}@anchor{c0}
+@anchor{fdl-1 3 aggregation-with-independent-works}@anchor{c3}
 @subsection 7. AGGREGATION WITH INDEPENDENT WORKS
 
 
@@ -5898,7 +5947,7 @@ equivalent of covers if the Document is in electronic form. Otherwise
 they must appear on printed covers that bracket the whole aggregate.
 
 @node 8 TRANSLATION,9 TERMINATION,7 AGGREGATION WITH INDEPENDENT WORKS,GNU Free Documentation License
-@anchor{fdl-1 3 translation}@anchor{c1}
+@anchor{fdl-1 3 translation}@anchor{c4}
 @subsection 8. TRANSLATION
 
 
@@ -5920,7 +5969,7 @@ If a section in the Document is Entitled “Acknowledgements”,
 Title (section 1) will typically require changing the actual title.
 
 @node 9 TERMINATION,10 FUTURE REVISIONS OF THIS LICENSE,8 TRANSLATION,GNU Free Documentation License
-@anchor{fdl-1 3 termination}@anchor{c2}
+@anchor{fdl-1 3 termination}@anchor{c5}
 @subsection 9. TERMINATION
 
 
@@ -5950,7 +5999,7 @@ reinstated, receipt of a copy of some or all of the same material does
 not give you any rights to use it.
 
 @node 10 FUTURE REVISIONS OF THIS LICENSE,11 RELICENSING,9 TERMINATION,GNU Free Documentation License
-@anchor{fdl-1 3 future-revisions-of-this-license}@anchor{c3}
+@anchor{fdl-1 3 future-revisions-of-this-license}@anchor{c6}
 @subsection 10. FUTURE REVISIONS OF THIS LICENSE
 
 
@@ -5972,7 +6021,7 @@ used, that proxy’s public statement of acceptance of a version
 permanently authorizes you to choose that version for the Document.
 
 @node 11 RELICENSING,ADDENDUM How to use this License for your documents,10 FUTURE REVISIONS OF THIS LICENSE,GNU Free Documentation License
-@anchor{fdl-1 3 relicensing}@anchor{c4}
+@anchor{fdl-1 3 relicensing}@anchor{c7}
 @subsection 11. RELICENSING
 
 
@@ -6003,7 +6052,7 @@ under CC-BY-SA on the same site at any time before August 1, 2009,
 provided the MMC is eligible for relicensing.
 
 @node ADDENDUM How to use this License for your documents,,11 RELICENSING,GNU Free Documentation License
-@anchor{fdl-1 3 addendum-how-to-use-this-license-for-your-documents}@anchor{c5}
+@anchor{fdl-1 3 addendum-how-to-use-this-license-for-your-documents}@anchor{c8}
 @subsection ADDENDUM: How to use this License for your documents
 
 
@@ -6037,8 +6086,8 @@ If your document contains nontrivial examples of program code, we
 recommend releasing these examples in parallel under your choice of free
 software license, such as the GNU General Public License, to permit
 their use in free software.
+@anchor{29}@w{                              }
 @anchor{rest tsref-type-ErrorDetail}@w{                              }
-@anchor{26}@w{                              }
 
 @c %**end of body
 @bye
diff --git a/doc/sphinx/index.rst b/doc/sphinx/index.rst
index 52edd89..8c19ebc 100644
--- a/doc/sphinx/index.rst
+++ b/doc/sphinx/index.rst
@@ -18,7 +18,34 @@
 Anastasis Documentation
 =======================
 
-The system will be based on free software and open protocols.
+Anastasis is Free Software protocol and implementation that allows
+users to securely deposit **core secrets** with an open set of escrow
+providers and to recover these secrets if their original copies are
+lost.
+
+Anastasis is intended for users that want to make backups of key
+material, such as OpenPGP encryption keys, hard disk encryption keys
+or master keys of electronic wallets. Anastasis is NOT intended to
+store large amounts of secret data, it is only designed to safeguard
+key material.
+
+Anastasis solves the issue of keeping key material both available
+to the authorized user(s), and confidential from anyone else.
+
+With Anastasis, the **core secrets** are protected from the Anastasis
+escrow providers by encrypting each with a **master key**.  The
+**master key** can be split and distributed across the escrow
+providers to ensure that no single escrow provider can recover the
+**master key** on its own.  Which subset(s) of Anastasis providers
+must be contacted to recover a **master key** is freely configurable.
+
+With Anastasis, users can reliably recover their **core secret**,
+while Anastasis makes this difficult for everyone else.  This is even
+true if the user is unable to reliably remember any secret with
+sufficiently high entropy: Anastasis does not simply reduce the
+problem to encrypting the **core secret** using some other key
+material in possession of the user.
+
 
 
 Documentation Overview
diff --git a/doc/sphinx/introduction.rst b/doc/sphinx/introduction.rst
index c3ae234..bfff83a 100644
--- a/doc/sphinx/introduction.rst
+++ b/doc/sphinx/introduction.rst
@@ -21,14 +21,13 @@
 Introduction
 ============
 
-Anastasis is a service that allows the user to securely deposit a
-**core secret** with an open set of escrow providers and recover it if the secret is
-lost.  The **core secret** itself is protected from the escrow providers by
-encrypting it with a **master key**.  The main objective of Anastasis is to
-ensure that the user can reliably recover the **core secret**, while making
-this difficult for everyone else.  Furthermore, it is assumed that the user is
-unable to reliably remember any secret with sufficiently high entropy, so we
-cannot simply encrypt using some other key material in possession of the user.
+To understand how Anastasis works, you need to understand three key
+concepts: user identifiers, our adversary model and the role of the
+recovery document.
+
+
+User Identifiers
+----------------
 
 To uniquely identify users, an "unforgettable" **identifier** is used.  This
 identifier should be difficult to guess for anybody but the user. However, the
@@ -37,6 +36,10 @@ cryptographically secure. Examples for such identifier would be a
 concatenation of the full name of the user and their social security or
 passport number(s).  For Swiss citizens, the AHV number could also be used.
 
+
+Adversary models
+----------------
+
 The adversary model of Anastasis has two types of adversaries: weak
 adversaries which do not know the user's **identifier**, and strong
 adversaries which somehow do know a user's **identifier**.  For weak
@@ -47,6 +50,10 @@ escrow providers must have colluded.  The user is able to specify a set of
 collude to break confidentiality. These policies also set the bar for the user
 to recover their core secret.
 
+
+The recovery document
+---------------------
+
 A **recovery document** includes all of the information a user needs to
 recover access to their core secret.  It specifies a set of **escrow
 methods**, which specify how the user should convince the Anastasis server
author	Christian Grothoff <christian@grothoff.org>	2021-07-18 09:21:10 +0200
committer	Christian Grothoff <christian@grothoff.org>	2021-07-18 09:21:10 +0200
commit	1a15895d1307896a71d2e3158baa3ba851315233 (patch)
tree	1aaa21b8d77cc5d3364f13f1556d7f9831abd77c /doc
parent	88ed9ae73a4191a5374f44cbd6b3e2aeeb7b2b12 (diff)
download	anastasis-1a15895d1307896a71d2e3158baa3ba851315233.tar.gz anastasis-1a15895d1307896a71d2e3158baa3ba851315233.tar.bz2 anastasis-1a15895d1307896a71d2e3158baa3ba851315233.zip