sq pki vouch authorize - Mark a certificate as a trusted
introducer
sq pki vouch authorize [OPTIONS]
Mark a certificate as a trusted introducer.
Creates a certification that says that the issuer considers the
certificate to be a trusted introducer. Trusted introducer is another word
for certification authority (CA). When a user relies on a trusted
introducer, the user considers certifications made by the trusted introducer
to be valid. A trusted introducer can also designate further trusted
introducers.
As is, a trusted introducer has a lot of power. This power can be
limited in several ways.
- The ability to specify further introducers can be constrained using the
`--depth` parameter.
- The degree to which an introducer is trusted can be changed using the
`--amount` parameter.
- The user IDs that an introducer can certify can be constrained by domain
using the `--domain` parameter or a regular expression using the `--regex`
parameter.
These mechanisms allow Alice to say that she is willing to rely on
the CA for example.org, but only for user IDs that have an email address for
example.org, for instance.
By default a delegation expires after 5 years. Use the
`--expiration` argument to override this.
This subcommand respects the reference time set by the top-level
`--time` argument. It sets the certification's creation time to the
reference time.
- --all
- Use all self-signed user IDs
- --allow-non-canonical-userids
- Don't reject new user IDs that are not in canonical form.
- Canonical user IDs are of the form `Name (Comment)
<localpart@example.org>`.
- --amount=AMOUNT
- Set the amount of trust. Values between 1 and 120 are meaningful. 120
means fully trusted. Values less than 120 indicate the degree of trust. 60
is usually used for partially trusted.
- [default: full]
- --cert=FINGERPRINT|KEYID
- Use certificates with the specified fingerprint or key ID
- --cert-file=PATH
- Read certificates from PATH
- --certifier=FINGERPRINT|KEYID
- Create the certification using the key with the specified fingerprint or
key ID
- --certifier-email=EMAIL
- Create the certification using the key where a user ID includes the
specified email address
- --certifier-file=PATH
- Create the certification using the key read from PATH
- --certifier-userid=USERID
- Create the certification using the key with the specified user ID
- --depth=TRUST_DEPTH
- Set the trust depth (sometimes referred to as the trust level). 1 means
CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a
meta-trusted introducer and can authorize another trusted introducer,
etc.
- [default: 1]
- --domain=DOMAIN
- Add a domain constraint to the introducer.
- Add a domain to constrain what certifications are respected. A
certification made by the certificate is only respected if it is over a
user ID with an email address in the specified domain. Multiple domains
may be specified. In that case, one must match.
- --email=EMAIL
- Use the self-signed user ID with the specified email address
- --email-or-add=EMAIL
- Use a user ID with the specified email address.
- This first searches for a matching self-signed user ID. If there is no
self-signed user ID with the specified email address, it uses a new user
ID with the specified email address, and no display name.
- --expiration=EXPIRATION
- Sets the expiration time.
- EXPIRATION is either an ISO 8601 formatted date with an optional time or a
custom duration. A duration takes the form `N[ymwds]`, where the letters
stand for years, months, weeks, days, and seconds, respectively.
Alternatively, the keyword `never` does not set an expiration time.
- [default: 5y]
- --local
- Make the certification a local certification. Normally, local
certifications are not exported.
- --non-revocable
- Mark the certification as being non-revocable. That is, you cannot later
revoke this certification. This should normally only be used with an
expiration.
- --output=FILE
- Write to FILE or stdout if omitted
- --regex=REGEX
- Add a regular expression to constrain the introducer.
- Add a regular expression to constrain what certifications are respected. A
certification made by the certificate is only respected if it is over a
user ID that matches one of the specified regular expression. Multiple
regular expressions may be specified. In that case, at least one must
match.
- --signature-notation
NAME VALUE
- Add a notation to the certification. A user-defined notation's name must
be of the form `name@a.domain.you.control.org`. If the notation's name
starts with a !, then the notation is marked as being critical. If a
consumer of a signature doesn't understand a critical notation, then it
will ignore the signature. The notation is marked as being human
readable.
- --unconstrained
- Don't constrain the introducer.
- Normally an introducer is constrained so that only certain user IDs are
respected, e.g., those that have an email address for a certain domain
name. This option authorizes an introducer without constraining it in this
way. Because this grants the introducer a lot of power, you have to opt in
to this behavior explicitly.
- --userid=USERID
- Use the specified self-signed user ID.
- The specified user ID must be self signed.
- --userid-or-add=USERID
- Use the specified user ID.
- The specified user ID does not need to be self signed.
- Because using a user ID that is not self-signed is often a mistake, you
need to use this option to explicitly opt in. That said, certifying a user
ID that is not self-signed is useful. For instance, you can associate an
alternate email address with a certificate, or you can add a petname,
i.e., a memorable, personal name like "mom".
See sq(1) for a description of the global options.
Certify that E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F is a trusted
introducer for example.org and example.com.
--certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--cert=E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F \
--domain=example.org --domain=example.com --all
sq(1), sq-pki(1), sq-pki-vouch(1).
For the full documentation see
<https://book.sequoia-pgp.org>.
0.40.0 (sequoia-openpgp 1.21.2)