sq pki vouch add - Certify a User ID for a Certificate
sq pki vouch add [OPTIONS]
Certify a User ID for a Certificate.
Using a certification a keyholder may vouch for the fact that
another certificate legitimately belongs to a user id. In the context of
emails this means that the same entity controls the key and the email
address. These kind of certifications form the basis for the Web of
Trust.
This command emits the certificate with the new certification. The
updated certificate has to be distributed, preferably by sending it to the
certificate holder for approval. See also `sq key approvals`.
By default a certification expires after 5 years. Using the
`--expiration` argument specific validity periods may be defined. It allows
for providing a point in time for validity to end or a validity
duration.
`sq pki vouch add` respects the reference time set by the
top-level `--time` argument. It sets the certification's creation time to
the reference time.
- --all
- Use all self-signed user IDs
- --allow-non-canonical-userids
- Don't reject new user IDs that are not in canonical form.
- Canonical user IDs are of the form `Name (Comment)
<localpart@example.org>`.
- --amount=AMOUNT
- Set the amount of trust. Values between 1 and 120 are meaningful. 120
means fully trusted. Values less than 120 indicate the degree of trust. 60
is usually used for partially trusted.
- [default: full]
- --cert=FINGERPRINT|KEYID
- Use certificates with the specified fingerprint or key ID
- --cert-file=PATH
- Read certificates from PATH
- --certifier=FINGERPRINT|KEYID
- Create the certification using the key with the specified fingerprint or
key ID
- --certifier-email=EMAIL
- Create the certification using the key where a user ID includes the
specified email address
- --certifier-file=PATH
- Create the certification using the key read from PATH
- --certifier-userid=USERID
- Create the certification using the key with the specified user ID
- --email=EMAIL
- Use the self-signed user ID with the specified email address
- --email-or-add=EMAIL
- Use a user ID with the specified email address.
- This first searches for a matching self-signed user ID. If there is no
self-signed user ID with the specified email address, it uses a new user
ID with the specified email address, and no display name.
- --expiration=EXPIRATION
- Sets the expiration time.
- EXPIRATION is either an ISO 8601 formatted date with an optional time or a
custom duration. A duration takes the form `N[ymwds]`, where the letters
stand for years, months, weeks, days, and seconds, respectively.
Alternatively, the keyword `never` does not set an expiration time.
- [default: 5y]
- --local
- Make the certification a local certification. Normally, local
certifications are not exported.
- --non-revocable
- Mark the certification as being non-revocable. That is, you cannot later
revoke this certification. This should normally only be used with an
expiration.
- --output=FILE
- Write to FILE or stdout if omitted
- --signature-notation
NAME VALUE
- Add a notation to the certification. A user-defined notation's name must
be of the form `name@a.domain.you.control.org`. If the notation's name
starts with a !, then the notation is marked as being critical. If a
consumer of a signature doesn't understand a critical notation, then it
will ignore the signature. The notation is marked as being human
readable.
- --userid=USERID
- Use the specified self-signed user ID.
- The specified user ID must be self signed.
- --userid-or-add=USERID
- Use the specified user ID.
- The specified user ID does not need to be self signed.
- Because using a user ID that is not self-signed is often a mistake, you
need to use this option to explicitly opt in. That said, certifying a user
ID that is not self-signed is useful. For instance, you can associate an
alternate email address with a certificate, or you can add a petname,
i.e., a memorable, personal name like "mom".
See sq(1) for a description of the global options.
Alice certifies that Bob controls 3F68CB84CE537C9A and
bob@example.org.
--certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
Alice certifies that Bob controls 3F68CB84CE537C9A and
bob@bobs.lair.net, which is not a self-signed user ID.
--certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
--email-or-add=bob@bobs.lair.net
sq(1), sq-pki(1), sq-pki-vouch(1).
For the full documentation see
<https://book.sequoia-pgp.org>.
0.40.0 (sequoia-openpgp 1.21.2)