diff --git a/bare_minimum_crypto/cpp/bmc_main.cpp b/bare_minimum_crypto/cpp/bmc_main.cpp
index dd4c5ee..1e61184 100644
--- a/bare_minimum_crypto/cpp/bmc_main.cpp
+++ b/bare_minimum_crypto/cpp/bmc_main.cpp
@@ -204,6 +204,7 @@ int main (int argc, char ** argv) {
 		("generate-human-key", "Generate a passphrase-protected key for human use", cxxopts::value <string> ())
 		("generate-machine-key", "Generate a key for machine use, with no passphrase", cxxopts::value <string> ())
 		("generate-key-cert", "Certify a key for 3 months and save the cert here", cxxopts::value <string> ())
+		("generate-data-cert", "Certify data for 1 week and save the cert here", cxxopts::value <string> ())
 		
 		// cxxopts nonsense
 		("using-key", "Key to load for other operations", cxxopts::value <string> ())
diff --git a/bare_minimum_crypto/todo.md b/bare_minimum_crypto/todo.md
index d8e9ad0..98f96b2 100644
--- a/bare_minimum_crypto/todo.md
+++ b/bare_minimum_crypto/todo.md
@@ -1,2 +1,14 @@
+User story checklist:
+
+C++ implementation:
+
+- (X) Generate human secret key
+- (X) Generate machine secret key
+- (X) Certify signing key with root secret key
+- ( ) Sign payload with signing key
+- ( ) Verify payload with root pubkey
+
+Todo:
+
 - Use libsodium's secure memory when handling keys / seeds / passphrases
 - Test on Windows (machine_id won't work)