diff --git a/appveyor.yml b/appveyor.yml
index 09613556..b2e00ed8 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -23,6 +23,7 @@ install:
   - set PATH=%PYTHON%;%PYTHON%\\Scripts;%PATH%
   - python -m pip install -U pip
   - pip install -e .
+  - pip install securesystemslib[crypto,pynacl]
 
 build: false
 
diff --git a/ci-requirements.txt b/ci-requirements.txt
index c7bdff53..fc218efb 100644
--- a/ci-requirements.txt
+++ b/ci-requirements.txt
@@ -1,6 +1,4 @@
-cryptography
-pynacl
-securesystemslib
+securesystemslib[crypto,pynacl]
 six
 iso8601
 coverage
diff --git a/dev-requirements.txt b/dev-requirements.txt
index 6f67d97c..8272e4c5 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -29,7 +29,7 @@ pycparser==2.18
 pylint==1.9.1
 pynacl==1.2.1
 pyyaml==3.12
-securesystemslib==0.11.1
+securesystemslib[crypto,pynacl]==0.11.2
 singledispatch==3.4.0.3
 six==1.11.0
 smmap2==2.0.3
diff --git a/docs/INSTALLATION.rst b/docs/INSTALLATION.rst
index fc4f70bb..3720f9e8 100644
--- a/docs/INSTALLATION.rst
+++ b/docs/INSTALLATION.rst
@@ -42,3 +42,9 @@ Installation instructions:
 
     Or from the root directory of the unpacked archive.
     $ pip install .
+
+    By default, C extensions are not installed and only Ed25519 signatures can
+    be verified in pure Python.  To fully support RSA, Ed25519, ECDSA, and
+    other crypto, you must install the extra dependencies declared by
+    securesystemslib:
+    $ pip install securesystemslib[crypto,pynacl]
diff --git a/requirements.in b/requirements.in
new file mode 100644
index 00000000..667e20ee
--- /dev/null
+++ b/requirements.in
@@ -0,0 +1,8 @@
+# requirements.in for pip-compile.
+
+securesystemslib
+cryptography
+colorama
+pynacl
+six
+iso8601
diff --git a/requirements.txt b/requirements.txt
index 6936bfbd..17418672 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile
 # To update, run:
 #
-#    pip-compile --generate-hashes --output-file requirements.txt setup.py
+#    pip-compile --generate-hashes --output-file requirements.txt requirements.in
 #
 asn1crypto==0.24.0 \
     --hash=sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87 \
@@ -39,8 +39,7 @@ cffi==1.11.5 \
     # via cryptography, pynacl
 colorama==0.3.9 \
     --hash=sha256:463f8483208e921368c9f306094eb6f725c6ca42b0f97e313cb5d5512459feda \
-    --hash=sha256:48eb22f4f8461b1df5734a074b57042430fb06e1d61bd1e11b078c0fe6d7a1f1 \
-    # via securesystemslib
+    --hash=sha256:48eb22f4f8461b1df5734a074b57042430fb06e1d61bd1e11b078c0fe6d7a1f1
 cryptography==2.2.2 \
     --hash=sha256:3f3b65d5a16e6b52fba63dc860b62ca9832f51f1a2ae5083c78b6840275f12dd \
     --hash=sha256:551a3abfe0c8c6833df4192a63371aa2ff43afd8f570ed345d31f251d78e7e04 \
@@ -58,8 +57,7 @@ cryptography==2.2.2 \
     --hash=sha256:d6f46e862ee36df81e6342c2177ba84e70f722d9dc9c6c394f9f1f434c4a5563 \
     --hash=sha256:db6013746f73bf8edd9c3d1d3f94db635b9422f503db3fc5ef105233d4c011ab \
     --hash=sha256:f57008eaff597c69cf692c3518f6d4800f0309253bb138b526a37fe9ef0c7471 \
-    --hash=sha256:f6c821ac253c19f2ad4c8691633ae1d1a17f120d5b01ea1d256d7b602bc59887 \
-    # via securesystemslib
+    --hash=sha256:f6c821ac253c19f2ad4c8691633ae1d1a17f120d5b01ea1d256d7b602bc59887
 enum34==1.1.6 \
     --hash=sha256:2d81cbbe0e73112bdfe6ef8576f2238f2ba27dd0d55752a776c41d38b7da2850 \
     --hash=sha256:644837f692e5f550741432dd3f223bbb9852018674981b1664e5dc339387588a \
@@ -104,11 +102,10 @@ pynacl==1.2.1 \
     --hash=sha256:eb2acabbd487a46b38540a819ef67e477a674481f84a82a7ba2234b9ba46f752 \
     --hash=sha256:eeee629828d0eb4f6d98ac41e9a3a6461d114d1d0aa111a8931c049359298da0 \
     --hash=sha256:f5ce9e26d25eb0b2d96f3ef0ad70e1d3ae89b5d60255c462252a3e456a48c053 \
-    --hash=sha256:fabf73d5d0286f9e078774f3435601d2735c94ce9e514ac4fb945701edead7e4 \
-    # via securesystemslib
-securesystemslib==0.11.1 \
-    --hash=sha256:1439bb314836b8f00450bc79782b586c2135b2a86ba384862f42074cd7c6b10f \
-    --hash=sha256:53a81a13d920dd92541140a239e0b64411d0cb7d4df3ecdab1697f8d8d922c5f
+    --hash=sha256:fabf73d5d0286f9e078774f3435601d2735c94ce9e514ac4fb945701edead7e4
+securesystemslib==0.11.2 \
+    --hash=sha256:43554371feeef50196587aa066cffd6b9ceff6b484fa7b127e139fafb5c0e23e \
+    --hash=sha256:7fe1ed8a4139b12225986ff6f9ebab48c74eaa93265a73f988e8de10e6b237a8
 six==1.11.0 \
     --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9 \
     --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb
diff --git a/setup.py b/setup.py
index 70df01ae..47af2cac 100755
--- a/setup.py
+++ b/setup.py
@@ -108,7 +108,7 @@
     'Topic :: Security',
     'Topic :: Software Development'
   ],
-  install_requires = ['iso8601>=0.1.12', 'six>=1.11.0', 'securesystemslib>=0.11.1'],
+  install_requires = ['iso8601>=0.1.12', 'six>=1.11.0', 'securesystemslib>=0.11.2'],
   packages = find_packages(exclude=['tests']),
   scripts = [
     'tuf/scripts/repo.py',