Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq-pki-authenticate - Authenticate a binding

SYNOPSIS
       sq pki authenticate [OPTIONS]

DESCRIPTION
       Authenticate a binding.

       Authenticate  a	binding	 (a  certificate and User ID) by looking for a
       path from the trust roots to the	specified binding in the Web of	Trust.
       Because certifications may express  uncertainty	(i.e.,	certifications
       may  be	marked	as conveying only partial or marginal trust), multiple
       paths may be needed.

       An error	is return if no	binding	could be authenticated to  the	speci-
       fied  level  (by	 default: fully	authenticated, i.e., a trust amount of
       120).

       If any valid paths to the binding are found, they are printed on	stdout
       whether they are	sufficient to authenticate the binding or not.

OPTIONS
   Subcommand options
       --amount=AMOUNT
	      The required amount of trust

	      120 indicates full authentication; values	less than 120 indicate
	      partial  authentication.	 When	`--certification-network`   is
	      passed,  this defaults to	1200, i.e., this command tries to find
	      10 paths.

       --cert=FINGERPRINT|KEYID
	      Use certificates with the	specified fingerprint or key ID

       --certification-network
	      Treats the network as a certification network

	      Normally,	the authentication machinery treats the	Web  of	 Trust
	      network  as an authentication network where a certification only
	      means that the binding is	correct, not that the target should be
	      treated as a trusted introducer.	In  a  certification  network,
	      the targets of certifications are	treated	as trusted introducers
	      with  infinite  depth,  and any regular expressions are ignored.
	      Note: The	trust amount remains  unchanged.   This	 is  how  most
	      so-called	PGP path-finding algorithms work.

       --email=EMAIL
	      Authenticate the specified email address

	      This  checks  whether  it	 is possible to	authenticate a user ID
	      with the specified email address.	 The user IDs do not  need  to
	      be  self	signed.	 To authenticate a user	ID containing just the
	      specified	email address, use `--userid <EMAIL>`.

       --gossip
	      Treats all certificates as unreliable trust roots

	      This option is useful for	figuring out what others think about a
	      certificate (i.e., gossip	or hearsay).   In  other  words,  this
	      finds arbitrary paths to a particular certificate.

	      Gossip  is useful	in helping to identify alternative ways	to au-
	      thenticate a certificate.	 For instance, imagine Ed wants	to au-
	      thenticate Laura's certificate, but asking her directly  is  in-
	      convenient.   Ed discovers that Micah has	certified Laura's cer-
	      tificate,	but Ed hasn't yet authenticated	 Micah's  certificate.
	      If  Ed  is willing to rely on Micah as a trusted introducer, and
	      authenticating Micah's certificate is easier than	authenticating
	      Laura's certificate, then	Ed has learned about an	easier way  to
	      authenticate Laura's certificate.

	      Stable since 1.1.0.

       --show-paths
	      Show why a binding is authenticated

	      By  default,  only a user	ID and certificate binding's degree of
	      authentication (a	value between  0  and  120)  is	 shown.	  This
	      changes  the  output to also show	how that value was computed by
	      showing the paths	from the trust roots to	the bindings.

       --unusable
	      Show bindings that are unusable

	      Normally,	unusable certificates and bindings are not shown. This
	      option considers bindings, even if they are  not	unusable,  be-
	      cause  they (or the certificates)	are not	valid according	to the
	      policy, are revoked, or are not live.

	      This option only makes sense with	`--gossip`,  because  unusable
	      bindings are still considered unauthenticated.

	      Stable since 1.1.0.

       --userid=USERID
	      Authenticate the specified user ID

	      The specified user ID does not need to be	self signed.

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Authenticate a specific binding.

	      sq pki authenticate --cert \
		     EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --userid \
		     "Alice <alice@example.org>"

       Check  whether we can authenticate any user ID with the specified email
       address for the given certificate.

	      sq pki authenticate --cert \
		     EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --email \
		     alice@example.org

SEE ALSO
       sq(1), sq-pki(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-pki-authenticate&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help