-Publish the host's gpg key to the keyserver. `p' may be used in place
-of `publish-key'.
-.TP
-.B add-certifier KEYID
-Add a certifier key to host keyring. The key with specified key ID
-will be retrieved from the keyserver and imported to the host keyring.
-It will then be given a non-exportable trust signature, with default
-depth of 1, so that the key may certifier users to log into the
-system. `a' may be used in place of `add-certifier'.
-.TP
-.B remove-certifier KEYID
-Remove a certifier key from the host keyring. The key with specified
-key ID will be removed entirely from the host keyring so that the key
-will not longer be able to certify users on the system. `r' may be
-used in place of `remove-certifier'.
-.TP
-.B list-certifiers KEYID
-Add key to certify system users. If LEVEL is not specified, then the program
-will prompt for an owner trust level to set for KEYID. This function
-lsigns the key as well so that it will have a known validity. `l' may
-be used in place of `list-certifiers'.
+Publish the host's OpenPGP key to the keyserver. `p' may be used in
+place of `publish-key'.
+.TP
+.B diagnostics
+Review the state of the server with respect to the MonkeySphere in
+general and report on suggested changes. Among other checks, this
+includes making sure there is a valid host key, that the key is
+published, that the sshd configuration points to the right place, and
+that there are at least some valid identity certifiers. `d' may be
+used in place of `diagnostics'.
+.TP
+.B add-identity-certifier KEYID
+Instruct system to trust user identity certifications made by KEYID.
+Using the `-n' or `--domain' option allows you to indicate that you
+only trust the given KEYID to make identifications within a specific
+domain (e.g. "trust KEYID to certify user identities within the
+@example.org domain"). A certifier trust level can be specified with
+the `-t' or `--trust' option (possible values are `marginal' and
+`full' (default is `full')). A certifier trust depth can be specified
+with the `-d' or `--depth' option (default is 1). `c+' may be used in
+place of `add-identity-certifier'.
+.TP
+.B remove-identity-certifier KEYID
+Instruct system to ignore user identity certifications made by KEYID.
+`c-' may be used in place of `remove-identity-certifier'.
+.TP
+.B list-identity-certifiers
+List key IDs trusted by the system to certify user identities. `c'
+may be used in place of `list-identity-certifiers'.
+.TP
+.B gpg-authentication-cmd
+Execute a gpg command on the gnupg-authentication keyring as the
+monkeysphere user. This takes a single command (multiple gpg
+arguments need to be quoted). Use this command with caution, as
+modifying the gnupg-authentication keyring can affect ssh user
+authentication.