table of contents
| SQ(1) | User Commands | SQ(1) |
NAME¶
sq pki link - Manage authenticated certificate and User ID links
SYNOPSIS¶
sq pki link add [OPTIONS]
sq pki link authorize [OPTIONS]
sq pki link retract [OPTIONS]
sq pki link list [OPTIONS] PATTERN
DESCRIPTION¶
Manage authenticated certificate and User ID links.
Linking a certificate and User ID is one way of making `sq` consider a binding to be authentic. Another way is to use `sq pki vouch add` to certify the binding with an explicitly configured trust root. The linking functionality is often easier to work with, and the information is private by default.
Authenticated bindings can be used to designate a certificate using a symbolic name. For instance, using `sq encrypt`'s `--for-userid` and `--for-email` options, a user can designate a certificate using a User ID or an email address that is authenticated for that certificate.
`sq` also uses authenticated certificates to authenticate other data. For instance, `sq verify` considers signatures made by an authenticated certificate to be authentic.
Users can create a link using `sq pki link add`. That link can later be retracted using `sq pki link retract`. A certificate can also be accepted as a trusted introducer by using `sq pki link authorize`.
`sq` implements linking using non-exportable certifications, and an implicit trust root. An OpenPGP certificate directory, the default certificate store used by `sq`, includes a local trust root, which is stored under the `trust-root` special name. When the user instructs `sq` to accept a binding, `sq` uses the local trust root to create a non-exportable certification, which it stores in the certificate directory. In this way, operations that use the Web of Trust to authenticate a binding automatically use links.
When a user retracts a link, `sq` creates a new, non-exportable certification with zero trust. This certification suppresses the previous link.
SUBCOMMANDS¶
sq pki link add¶
Link a certificate and a user ID.
This causes `sq` to consider the certificate and user ID binding to be authentic. You would do this if you are confident that a particular certificate should be associated with Alice, for example. Note: this does not consider the certificate to be a trusted introducer; it only considers the binding to be authentic. To authorize a certificate to be a trusted introducer use `sq pki link authorize`.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch add`, but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as non-exportable. The former makes it easier to manage certifications, especially when the user's certification key is offline. And the latter improves the user's privacy, by reducing the chance that parts of the user's social graph is leaked when a certificate is shared.
By default a link never expires. This can be overridden using `--expiration` argument.
`sq pki link add` respects the reference time set by the top-level `--time` argument. It sets the link's creation time to the reference time.
sq pki link authorize¶
Make a certificate a trusted introducer.
This causes `sq` to consider the certificate to be a be a trusted introducer. Trusted introducer is another word for certification authority (CA). When you link a trusted introducer, you consider certifications made by the trusted introducer to be valid. A trusted introducer can also designate further trusted introducers.
As is, a trusted introducer has a lot of power. This power can be limited in several ways.
- The ability to specify further introducers can be constrained using the
`--depth` parameter.
- The degree to which an introducer is trusted can be changed using the
`--amount` parameter.
- The user IDs that an introducer can certify can be constrained by domain
using the `--domain` parameter or a regular expression using the `--regex`
parameter.
These mechanisms allow you to say that you are willing to rely on the CA for example.org, but only for user IDs that have an email address for example.org, for instance.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch authorize`, but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as non-exportable. The former makes it easier to manage certifications, especially when your certification key is offline. And the latter improves your privacy, by reducing the chance that parts of your social graph are leaked when a certificate is shared.
By default a link never expires. Using the `--expiration` argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration.
`sq pki link authorize` respects the reference time set by the top-level `--time` argument. It sets the link's creation time to the reference time.
sq pki link retract¶
Retract links.
This command retracts links that were previously created using `sq pki link add` or `sq pki link authorize`. See that subcommand's documentation for more details. Note: this is called `retract` and not `remove`, because the certifications are not removed. Instead a new certification is added, which says that the binding has not been authenticated.
`sq pki link retract` respects the reference time set by the top-level `--time` argument. This causes a link to be retracted as of a particular time instead of the current time.
sq pki link list¶
List links.
This command lists all bindings that are linked or whose link has been retracted.
EXAMPLES¶
sq pki link add¶
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
First, examine the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0.
sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
Then, temporarily accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Once satisfied, permanently accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link authorize¶
Add an unconstrained trusted introducer.
sq pki link authorize --unconstrained \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a trusted introducer for example.org and example.com.
sq pki link authorize --domain=example.org \
--domain=example.com \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a partially trusted introducer.
sq pki link authorize --unconstrained --amount=60 \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link retract¶
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--add-email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and the email address alice@example.org.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and any associated user IDs. This effectively invalidates all links.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link list¶
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
List all links.
sq pki link list
List all links in the example.org domain.
sq pki link list --cert-domain=example.org
SEE ALSO¶
sq(1), sq-pki(1), sq-pki-link-add(1), sq-pki-link-authorize(1), sq-pki-link-retract(1), sq-pki-link-list(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION¶
1.0.0 (sequoia-openpgp 1.22.0)
| 1.0.0 | Sequoia PGP |