sq-wot - Man Page
An implementation of OpenPGP's web of trust.
Synopsis
sequoia-wot [--gpg] [-k|--keyring] [--gpg-keyring] [--network] [--keyserver] [-r|--trust-root] [-f|--format] [--gpg-ownertrust] [--gossip] [--certification-network] [-a|--trust-amount] [--partial] [--full] [--double] [--time] [--known-notation] [-h|--help] [-V|--version] <subcommands>
Description
An implementation of OpenPGP's web of trust.
Options
- --gpg
Uses gpg's keyring and gpg's trust roots.
When this option is set, `sq-wot` reads gpg's keyring and gpg's ownertrust. This is equivalent to passing `--gpg-keyring` and `--gpg-ownertrust`.
- -k, --keyring=FILE
Adds KEYRING to the list of keyrings
The keyrings are read at start up and used to build a web of trust network. Note: if a certificate occurs multiple times, the first version is taken; they are not currently merged.
- --gpg-keyring
Adds GnuPG's keyring to the list of keyrings.
This option causes `sq-wot` to read gpg's keyring, by parsing the output of `gpg --export --export-options export-local-sigs`.
- --network
Looks up missing certificates over the network.
This causes `sq-wot` to look up missing certificates on a key server. The default key server can be overridden using the `--keyserver` option.
Certificates fetched from a key server are cached locally in the default cert-d. The default cert-d is also checked prior to fetching a certificate from the key server.
- --keyserver=KEYSERVER [default: hkps://keyserver.ubuntu.com]
Sets the keyserver to use to KEYSERVER.
This option only makes sense when used in conjunction with the `--network` option. Currently, it is only possible to set a single keyserver.
- -r, --trust-root=FINGERPRINT|KEYID
Treats the specified certificate as a trust root.
It is possible to have multiple trust roots. All trust roots are treated equivalently. This can be combined with `--gpg-ownertrust`.
- -f, --format=FORMAT [default: human-readable]
Render the output in a specific format
Choosing a different output format allows for further post processing of the data using external tools.
Possible values:
- human-readable: output in human readable format
- --gpg-ownertrust
Causes `sq-wot` to use gpg's trust roots as the trust roots.
`sq-wot` reads the output of `gpg --export-ownertrust`. It treats gpg's ultimately trusted certificates as fully trust roots. Similar to gpg, it also treats certificates marked as fully and marginally trusted as fully and marginally trusted roots, if a self-signed User ID can be authenticated by an ultimately trusted root.
It is possible to set additional trust roots using the `--trust-root` option.
- --gossip
Treats all certificates as unreliable trust roots.
This option is useful for figuring out what others think about a certificate (i.e., gossip or hearsay). In other words, this finds arbitrary paths to a particular certificate.
Gossip is useful in helping to identify alternative ways to authenticate a certificate. For instance, imagine Ed wants to authenticate Laura's certificate, but asking her directly is inconvenient. Ed discovers that Micah has certified Laura's certificate, but Ed hasn't yet authenticated Micah's certificate. If Ed is willing to rely on Micah as a trusted introducer, and authenticating Micah's certificate is easier than authenticating Laura's certificate, then Ed has learned about an easier way to authenticate Laura's certificate.
EXAMPLES:
# Get gossip about a certificate.{n} $ sq-wot --keyring keyring.pgp \\{n} --gossip identify 3217C509292FC67076ECD75C7614269BDDF73B36
- --certification-network
Treats the network as a certification network.
Normally, `sq-wot` treats the web-of-trust network as an authentication network where a certification only means that the binding is correct, not that the target should be treated as a trusted introducer. In a certification network, the targets of certifications are treated as trusted introducers with infinite depth, and any regular expressions are ignored. Note: The trust amount remains unchanged. This is how most so-called pgp path-finding algorithms work.
- -a, --trust-amount=TRUST_AMOUNT
The required amount of trust.
120 indicates full authentication; values less than 120 indicate partial authentication. When `--certification-network` is passed, this defaults to 1200, i.e., sq-wot tries to find 10 paths.
- --partial
Require partial authentication.
This is the same as passing `--trust-amount 40`.
- --full
Require full authentication.
This is the same as passing `--trust-amount 120`.
- --double
Require double authentication.
This is the same as passing `--trust-amount 240`.
- --time=TIME
Sets the reference time to TIME.
TIME is interpreted as an ISO 8601 timestamp. To set the reference time to July 21, 2013 at midnight UTC, you can do:
$ sq-wot --time 20130721 CMD ...
To include a time, add a T, the time and optionally the timezone (the default timezone is UTC):
$ sq-wot --time 20130721T0550+0200 CMD ...
- --known-notation=KNOWN_NOTATION
Adds NOTATION to the list of known notations
This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid.
- -h, --help
Print help (see a summary with '-h')
- -V, --version
Print version
Subcommands
- sequoia-wot-authenticate(1)
Authenticate a binding
- sequoia-wot-lookup(1)
Lookup the certificates associated with a User ID
- sequoia-wot-identify(1)
Identify a certificate
- sequoia-wot-list(1)
List all authenticated bindings (User ID and certificate pairs)
- sequoia-wot-path(1)
Verify the specified path
- sequoia-wot-help(1)
Print this message or the help of the given subcommand(s)
Version
v0.12.0
Authors
Neal H. Walfield <neal@sequoia-pgp.org>