-.B update-users [USER]...
-Update the admin-controlled authorized_keys files for user. For each
-user specified, user ID's listed in the user's authorized_user_ids
-file are processed, and the user's authorized_keys file in
-/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere'
-for more info. If the RAW_AUTHORIZED_KEYS variable is set, then a
-user-controlled authorized_keys file (usually
-~USER/.ssh/authorized_keys) is added to the authorized_keys file. `u'
-may be used in place of `update-users.
-.TP
-.B gen-key
-Generate a gpg key pair for the host. `g' may be used in place of
-`gen-key'.
+.B update-users [ACCOUNT]...
+Rebuild the monkeysphere-controlled authorized_keys files. For each
+specified account, the user ID's listed in the account's
+authorized_user_ids file are processed. For each user ID, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
+monkeysphere(5)), the key is added to the account's
+monkeysphere-controlled authorized_keys file. If the
+RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
+file (usually ~USER/.ssh/authorized_keys) is appended to the
+monkeysphere-controlled authorized_keys file. If no accounts are
+specified, then all accounts on the system are processed. `u' may be
+used in place of `update-users'.
+.TP
+.B gen-key [HOSTNAME]
+Generate a OpenPGP key pair for the host. If HOSTNAME is not
+specified, then the system fully-qualified domain name will be user.
+An alternate key bit length can be specified with the `-l' or
+`--length' option (default 2048). An expiration length can be
+specified with the `-e' or `--expire' option (prompt otherwise). A
+key revoker fingerprint can be specified with the `-r' or `--revoker'
+option. `g' may be used in place of `gen-key'.