Scroll to navigation

SQ(1) User Commands SQ(1)

NAME

sq-pki-vouch-authorize - Mark a certificate as a trusted introducer

SYNOPSIS

sq pki vouch authorize [OPTIONS]

DESCRIPTION

Mark a certificate as a trusted introducer.

Creates a certification that says that the issuer considers the certificate to be a trusted introducer. Trusted introducer is another word for certification authority (CA). When a user relies on a trusted introducer, the user considers certifications made by the trusted introducer to be valid. A trusted introducer can also designate further trusted introducers.

As is, a trusted introducer has a lot of power. This power can be limited in several ways.


- The ability to specify further introducers can be constrained using the `--depth` parameter.


- The degree to which an introducer is trusted can be changed using the `--amount` parameter.


- The user IDs that an introducer can certify can be constrained by domain using the `--domain` parameter or a regular expression using the `--regex` parameter.

These mechanisms allow Alice to say that she is willing to rely on the CA for example.org, but only for user IDs that have an email address for example.org, for instance.

By default a delegation expires after 10 years. Use the `--expiration` argument to override this.

This subcommand respects the reference time set by the top-level `--time` argument. It sets the certification's creation time to the reference time.

OPTIONS

Subcommand options

Use a user ID with the specified email address
The user ID consists of just the email address. The email address does not have to appear in a self-signed user ID.
Use the specified user ID
The specified user ID does not need to be self signed.
Because using a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.
Use all self-signed user IDs
Don't reject new user IDs that are not in canonical form
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
Set the amount of trust
Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted.
[default: full]
Use certificates with the specified fingerprint or key ID
Read certificates from PATH
Create the certification using the key with the specified fingerprint or key ID
Create the certification using the key where a user ID includes the specified email address
Create the certification using the key read from PATH
Create the certification using your default certification key
This uses the certificates set in the configuration file under `pki.vouch.certifier-self` as certification key.
Currently, there is no default certification key.

Create the certification using the key with the specified user ID
Set the trust depth
This is sometimes referred to as the trust level. 1 means CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a meta-trusted introducer and can authorize another trusted introducer, etc.
[default: 1]
Add a domain constraint to the introducer
Add a domain to constrain what certifications are respected. A certification made by the certificate is only respected if it is over a user ID with an email address in the specified domain. Multiple domains may be specified. In that case, one must match.
Use a user ID consisting of just the email address, if the email address occurs in a self-signed user ID
Sets the expiration time
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
The default can be changed in the configuration file using the setting `pki.vouch.expiration`.
[default: 10y]
Make the certification a local certification
Normally, local certifications are not exported.
Mark the certification as being non-revocable
That is, you cannot later revoke this certification. This should normally only be used with an expiration.
Write to FILE or stdout if omitted
Add a regular expression to constrain the introducer
Add a regular expression to constrain what certifications are respected. A certification made by the certificate is only respected if it is over a user ID that matches one of the specified regular expression. Multiple regular expressions may be specified. In that case, at least one must match.
Add a notation to the signature
A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable.
Don't constrain the introducer
Normally an introducer is constrained so that only certain user IDs are respected, e.g., those that have an email address for a certain domain name. This option authorizes an introducer without constraining it in this way. Because this grants the introducer a lot of power, you have to opt in to this behavior explicitly.
Use the specified self-signed user ID
The specified user ID must be self signed.
Use the self-signed user ID with the specified email address

Global options

See sq(1) for a description of the global options.

EXAMPLES

Certify that E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F is a trusted introducer for example.org and example.com.

sq pki vouch authorize \
--certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--cert=E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F \
--domain=example.org --domain=example.com --all






SEE ALSO


sq(1), sq-pki(1), sq-pki-vouch(1).


For the full documentation see
    <https://book.sequoia-pgp.org/>.






VERSION


1.3.1







  

    1.3.1
    Sequoia PGP