sq-pki-link - Man Page
Manage authenticated certificate and User ID links
Synopsis
sq pki link add [OPTIONS]
sq pki link authorize [OPTIONS]
sq pki link retract [OPTIONS]
sq pki link list [OPTIONS]
Description
Manage authenticated certificate and User ID links.
Linking a certificate and User ID is one way of making `sq` consider a binding to be authentic. Another way is to use `sq pki vouch certify` to certify the binding with an explicitly configured trust root. The linking functionality is often easier to work with, and the information is private by default.
Authenticated bindings can be used to designate a certificate using a symbolic name. For instance, using `sq encrypt`'s `--for-userid` and `--for-email` options, a user can designate a certificate using a User ID or an email address that is authenticated for that certificate.
`sq` also uses authenticated certificates to authenticate other data. For instance, `sq verify` considers signatures made by an authenticated certificate to be authentic.
Users can create a link using `sq pki link add`. That link can later be retracted using `sq pki link retract`. A certificate can also be accepted as a trusted introducer by using `sq pki link authorize`.
`sq` implements linking using non-exportable certifications, and an implicit trust root. An OpenPGP certificate directory, the default certificate store used by `sq`, includes a local trust root, which is stored under the `trust-root` special name. When the user instructs `sq` to accept a binding, `sq` uses the local trust root to create a non-exportable certification, which it stores in the certificate directory. In this way, operations that use the Web of Trust to authenticate a binding automatically use links.
When a user retracts a link, `sq` creates a new, non-exportable certification with zero trust. This certification suppresses the previous link.
Subcommands
sq pki link add
Link a certificate and a user ID.
This causes `sq` to consider the certificate and user ID binding to be authentic. You would do this if you are confident that a particular certificate should be associated with Alice, for example. Note: this does not consider the certificate to be a trusted introducer; it only considers the binding to be authentic. To authorize a certificate to be a trusted introducer use `sq pki link authorize`.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch certify`, but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as non-exportable. The former makes it easier to manage certifications, especially when the user's certification key is offline. And the latter improves the user's privacy, by reducing the chance that parts of the user's social graph is leaked when a certificate is shared.
By default a link never expires. This can be overridden using `--expiration` argument.
`sq pki link add` respects the reference time set by the top-level `--time` argument. It sets the link's creation time to the reference time.
sq pki link retract
Retract links.
This command retracts links that were previously created using `sq pki link add` or `sq pki link authorize`. See that subcommand's documentation for more details. Note: this is called `retract` and not `remove`, because the certifications are not removed. Instead a new certification is added, which says that the binding has not been authenticated.
`sq pki link retract` respects the reference time set by the top-level `--time` argument. This causes a link to be retracted as of a particular time instead of the current time.
sq pki link list
List links.
This command lists all bindings that are linked or whose link has been retracted.
Examples
sq pki link add
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \--email=alice@example.org
First, examine the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0.
sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
Then, temporarily accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --allOnce satisfied, permanently accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --allsq pki link retract
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and the email address alice@example.org.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and any associated user IDs. This effectively invalidates all links.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0sq pki link list
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \--email=alice@example.org
List all links.
sq pki link list
List all links in the example.org domain.
sq pki link list --domain=example.org
See Also
sq(1), sq-pki(1), sq-pki-link-add(1), sq-pki-link-authorize(1), sq-pki-link-retract(1), sq-pki-link-list(1).
For the full documentation see <https://book.sequoia-pgp.org>.
Version
0.39.0 (sequoia-openpgp 1.21.2)
Referenced By
sq-pki(1), sq-pki-link-add(1), sq-pki-link-authorize(1), sq-pki-link-list(1), sq-pki-link-retract(1).