sq-pki-link-authorize - Man Page

Make a certificate a trusted introducer

Synopsis

sq pki link authorize [Options]  

Description

Make a certificate a trusted introducer.

This causes `sq` to consider the certificate to be a be a trusted introducer.  Trusted introducer is another word for certification authority (CA).  When you link a trusted introducer, you consider certifications made by the trusted introducer to be valid.  A trusted introducer can also designate further trusted introducers.

As is, a trusted introducer has a lot of power.  This power can be limited in several ways.

 - The ability to specify further introducers can be constrained using the `--depth` parameter.

 - The degree to which an introducer is trusted can be changed using the `--amount` parameter.

 - The user IDs that an introducer can certify can be constrained by domain using the `--domain` parameter or a regular expression using the `--regex` parameter.

These mechanisms allow you to say that you are willing to rely on the CA for example.org, but only for user IDs that have an email address for example.org, for instance.

A link can be retracted using `sq pki link retract`.

This command is similar to `sq pki vouch authorize`, but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key.  Further, the certificates are marked as non-exportable.  The former makes it easier to manage certifications, especially when your certification key is offline.  And the latter improves your privacy, by reducing the chance that parts of your social graph are leaked when a certificate is shared.

By default a link never expires.  Using the `--expiration` argument specific validity periods may be defined.  It allows for providing a point in time for validity to end or a validity duration.

`sq pki link authorize` respects the reference time set by the top-level `--time` argument. It sets the link's creation time to the reference time.

Options

Subcommand options

--add-userid

Use the given user ID even if it isn't a self-signed user ID.

Because certifying a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.  That said, certifying a user ID that is not self-signed is useful.  For instance, you can associate an alternate email address with a certificate, or you can add a petname, i.e., a memorable, personal name like "mom".

--all

Use all self-signed user IDs

--amount=AMOUNT

Set the amount of trust.  Values between 1 and 120 are meaningful. 120 means fully trusted.  Values less than 120 indicate the degree of trust.  60 is usually used for partially trusted.

[default: full]

--cert=FINGERPRINT|KEYID

Use certificates with the specified fingerprint or key ID

--depth=TRUST_DEPTH

Set the trust depth (sometimes referred to as the trust level).  1 means CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a meta-trusted introducer and can authorize another trusted introducer, etc.

[default: 255]

--domain=DOMAIN

Add a domain constraint to the introducer.

Add a domain to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID with an email address in the specified domain.  Multiple domains may be specified.  In that case, one must match.

--email=EMAIL

Use the specified email address

--expiration=EXPIRATION

Sets the expiration time.

EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively.  Alternatively, the keyword `never` does not set an expiration time.

[default: never]

--notation NAME VALUE

Add a notation to the certification.  A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical.  If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature.  The notation is marked as being human readable.

--recreate

Recreate the signature even if the parameters did not change

If the link parameters did not change, and thus creating a signature should not be necessary, we omit the operation.  This flag can be given to force the signature to be recreated anyway.

--regex=REGEX

Add a regular expression to constrain the introducer.

Add a regular expression to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID that matches one of the specified regular expression.  Multiple regular expressions may be specified.  In that case, at least one must match.

--unconstrained

Don't constrain the introducer.

Normally an introducer is constrained so that only certain user IDs are respected, e.g., those that have an email address for a certain domain name.  This option authorizes an introducer without constraining it in this way.  Because this grants the introducer a lot of power, you have to opt in to this behavior explicitly.

--userid=USERID

Use the specified user ID

Global options

See sq(1) for a description of the global options.

Examples

Add an unconstrained trusted introducer.

    sq pki link authorize --unconstrained \
    --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

Add a trusted introducer for example.org and example.com.

    sq pki link authorize --domain=example.org \
    --domain=example.com \

--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

Add a partially trusted introducer.

    sq pki link authorize --unconstrained --amount=60 \
    --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

See Also

sq(1), sq-pki(1), sq-pki-link(1).

For the full documentation see <https://book.sequoia-pgp.org>.

Version

0.39.0 (sequoia-openpgp 1.21.2)

Referenced By

sq-pki-link(1).

0.39.0 Sequoia PGP