Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq-pki-link-add - Link a	certificate and	a user ID

SYNOPSIS
       sq pki link add [OPTIONS]

DESCRIPTION
       Link a certificate and a	user ID.

       This  causes `sq` to consider the certificate and user ID binding to be
       authentic.  You would do	this if	you are	confident  that	 a  particular
       certificate  should  be associated with Alice, for example.  Note: this
       does not	consider the certificate to be a trusted introducer;  it  only
       considers  the  binding to be authentic.	 To authorize a	certificate to
       be a trusted introducer use `sq pki link	authorize`.

       A link can be retracted using `sq pki link retract`.

       This command is similar to `sq pki vouch	add`, but  the	certifications
       it  makes are done using	the certificate	directory's trust root,	not an
       arbitrary key.  Further,	the certificates are marked as non-exportable.
       The former makes	it easier to manage  certifications,  especially  when
       the  user's  certification key is offline.  And the latter improves the
       user's privacy, by reducing the chance that parts of the	user's	social
       graph is	leaked when a certificate is shared.

       By default a link never expires.	 This can be overridden	using `--expi-
       ration` argument.

       `sq  pki	 link  add`  respects  the reference time set by the top-level
       `--time`	argument. It sets the link's creation time  to	the  reference
       time.

OPTIONS
   Subcommand options
       --add-email=EMAIL
	      Use a user ID with the specified email address

	      The  user	 ID consists of	just the email address.	 The email ad-
	      dress does not have to appear in a self-signed user ID.

       --add-userid=USERID
	      Use the specified	user ID

	      The specified user ID does not need to be	self signed.

	      Because using a user ID that is not self-signed is often a  mis-
	      take, you	need to	use this option	to explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
	      Don't reject new user IDs	that are not in	canonical form

	      Canonical	 user  IDs  are	 of  the  form `Name (Comment) <local-
	      part@example.org>`.

       --amount=AMOUNT
	      Set the amount of	trust

	      Values between  1	 and  120  are	meaningful.  120  means	 fully
	      trusted.	Values less than 120 indicate the degree of trust.  60
	      is usually used for partially trusted.

	      [default:	full]

       --cert=FINGERPRINT|KEYID
	      Use certificates with the	specified fingerprint or key ID

       --cert-special=SPECIAL
	      Use certificates identified by the special name

	      [possible	   values:    public-directories,    keys.openpgp.org,
	      keys.mailvelope.com, proton.me, wkd, dane, autocrypt, web]

       --email=EMAIL
	      Use a user ID consisting of just the email address, if the email
	      address occurs in	a self-signed user ID

       --expiration=EXPIRATION
	      Sets the expiration time

	      EXPIRATION is either an ISO 8601 formatted date with an optional
	      time  or	a  custom  duration.   A  duration  takes   the	  form
	      `N[ymwds]`,  where  the  letters stand for years,	months,	weeks,
	      days, and	 seconds,  respectively.  Alternatively,  the  keyword
	      `never` does not set an expiration time.

	      [default:	never]

       --recreate
	      Recreate signature even if the parameters	did not	change

	      If  the link parameters did not change, and thus creating	a sig-
	      nature should not	be necessary, we  omit	the  operation.	  This
	      flag  can	 be given to force the signature to be re-created any-
	      way.

       --signature-notation NAME VALUE
	      Add a notation to	the signature

	      A	user-defined notation's	name must be of	the  form  `name@a.do-
	      main.you.control.org`. If	the notation's name starts with	a `!`,
	      then the notation	is marked as being critical.  If a consumer of
	      a	signature doesn't understand a critical	notation, then it will
	      ignore  the  signature.	The  notation is marked	as being human
	      readable.

       --temporary
	      Temporarily accepts the binding

	      Creates a	fully trust link between a certificate and one or more
	      User IDs for a week.  After  that,  the  link  is	 automatically
	      downgraded to a partially	trusted	link (trust = 40).

       --userid=USERID
	      Use the specified	self-signed user ID

	      The specified user ID must be self signed.

       --userid-by-email=EMAIL
	      Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Link  the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the
       email address alice@example.org.

	      sq pki link add \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --email=alice@example.org

       First,		   examine		 the		   certificate
       EB28F26E2739A4870ECC47726F0073F60FD0CBF0.

	      sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Then,	     temporarily	 accept		the	   certificate
       EB28F26E2739A4870ECC47726F0073F60FD0CBF0	with all  of  its  self-signed
       user IDs	for a week.

	      sq pki link add --expiration=1w \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all

       Once	 satisfied,	permanently	accept	   the	   certificate
       EB28F26E2739A4870ECC47726F0073F60FD0CBF0	with all  of  its  self-signed
       user IDs.

	      sq pki link add \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all

SEE ALSO
       sq(1), sq-pki(1), sq-pki-link(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-pki-link-add&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help