Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq-pki-vouch-authorize -	Mark a certificate as a	trusted	introducer

SYNOPSIS
       sq pki vouch authorize [OPTIONS]

DESCRIPTION
       Mark a certificate as a trusted introducer.

       Creates	a  certification  that says that the issuer considers the cer-
       tificate	to be a	trusted	introducer.   Trusted  introducer  is  another
       word for	certification authority	(CA).  When a user relies on a trusted
       introducer,  the	 user considers	certifications made by the trusted in-
       troducer	to be valid.  A	trusted	introducer can also designate  further
       trusted introducers.

       As is, a	trusted	introducer has a lot of	power.	This power can be lim-
       ited in several ways.

	 - The ability to specify further introducers can be constrained using
       the `--depth` parameter.

	 -  The	 degree	to which an introducer is trusted can be changed using
       the `--amount` parameter.

	 - The user IDs	that an	introducer can certify can be  constrained  by
       domain using the	`--domain` parameter or	a regular expression using the
       `--regex` parameter.

       These  mechanisms allow Alice to	say that she is	willing	to rely	on the
       CA for example.org, but only for	user IDs that have  an	email  address
       for example.org,	for instance.

       By  default a delegation	expires	after 10 years.	Use the	`--expiration`
       argument	to override this.

       This subcommand respects	 the  reference	 time  set  by	the  top-level
       `--time`	 argument.   It	 sets the certification's creation time	to the
       reference time.

OPTIONS
   Subcommand options
       --add-email=EMAIL
	      Use a user ID with the specified email address

	      The user ID consists of just the email address.  The  email  ad-
	      dress does not have to appear in a self-signed user ID.

       --add-userid=USERID
	      Use the specified	user ID

	      The specified user ID does not need to be	self signed.

	      Because  using a user ID that is not self-signed is often	a mis-
	      take, you	need to	use this option	to explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
	      Don't reject new user IDs	that are not in	canonical form

	      Canonical	user IDs are  of  the  form  `Name  (Comment)  <local-
	      part@example.org>`.

       --amount=AMOUNT
	      Set the amount of	trust

	      Values  between  1  and  120  are	 meaningful.  120  means fully
	      trusted.	Values less than 120 indicate the degree of trust.  60
	      is usually used for partially trusted.

	      [default:	full]

       --cert=FINGERPRINT|KEYID
	      Use certificates with the	specified fingerprint or key ID

       --cert-file=PATH
	      Read certificates	from PATH

       --certifier=FINGERPRINT|KEYID
	      Create the certification using the key with the  specified  fin-
	      gerprint or key ID

       --certifier-email=EMAIL
	      Create  the certification	using the key where a user ID includes
	      the specified email address

       --certifier-file=PATH
	      Create the certification using the key read from PATH

       --certifier-self
	      Create the certification using your default certification	key

	      This uses	the certificates set in	the configuration  file	 under
	      `pki.vouch.certifier-self` as certification key.

	      Currently, there is no default certification key.

       --certifier-userid=USERID
	      Create  the  certification using the key with the	specified user
	      ID

       --depth=TRUST_DEPTH
	      Set the trust depth

	      This is sometimes	referred to as the trust level.	 1 means  CER-
	      TIFICATE	is a trusted introducer	(default), 2 means CERTIFICATE
	      is a meta-trusted	introducer and can authorize  another  trusted
	      introducer, etc.

	      [default:	1]

       --domain=DOMAIN
	      Add a domain constraint to the introducer

	      Add  a domain to constrain what certifications are respected.  A
	      certification made by the	certificate is only respected if it is
	      over a user ID with an email address in  the  specified  domain.
	      Multiple	domains	 may  be  specified.   In  that	case, one must
	      match.

       --email=EMAIL
	      Use a user ID consisting of just the email address, if the email
	      address occurs in	a self-signed user ID

       --expiration=EXPIRATION
	      Sets the expiration time

	      EXPIRATION is either an ISO 8601 formatted date with an optional
	      time  or	a  custom  duration.   A  duration  takes   the	  form
	      `N[ymwds]`,  where  the  letters stand for years,	months,	weeks,
	      days, and	 seconds,  respectively.  Alternatively,  the  keyword
	      `never` does not set an expiration time.

	      The  default  can	be changed in the configuration	file using the
	      setting `pki.vouch.expiration`.

	      [default:	10y]

       --local
	      Make the certification a local certification

	      Normally,	local certifications are not exported.

       --non-revocable
	      Mark the certification as	being non-revocable

	      That is, you  cannot  later  revoke  this	 certification.	  This
	      should normally only be used with	an expiration.

       --output=FILE
	      Write to FILE or stdout if omitted

       --regex=REGEX
	      Add a regular expression to constrain the	introducer

	      Add  a  regular  expression to constrain what certifications are
	      respected.  A certification made by the certificate is only  re-
	      spected  if  it is over a	user ID	that matches one of the	speci-
	      fied regular expression.	Multiple regular  expressions  may  be
	      specified.  In that case,	at least one must match.

       --signature-notation NAME VALUE
	      Add a notation to	the signature

	      A	 user-defined  notation's name must be of the form `name@a.do-
	      main.you.control.org`. If	the notation's name starts with	a `!`,
	      then the notation	is marked as being critical.  If a consumer of
	      a	signature doesn't understand a critical	notation, then it will
	      ignore the signature.  The notation is  marked  as  being	 human
	      readable.

       --unconstrained
	      Don't constrain the introducer

	      Normally	an introducer is constrained so	that only certain user
	      IDs are respected, e.g., those that have an email	address	for  a
	      certain domain name.  This option	authorizes an introducer with-
	      out constraining it in this way.	Because	this grants the	intro-
	      ducer  a	lot  of	power, you have	to opt in to this behavior ex-
	      plicitly.

       --userid=USERID
	      Use the specified	self-signed user ID

	      The specified user ID must be self signed.

       --userid-by-email=EMAIL
	      Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Certify that E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F is	a trusted  in-
       troducer	for example.org	and example.com.

	      sq pki vouch authorize \
		     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --cert=E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F \
		     --domain=example.org --domain=example.com --all

SEE ALSO
       sq(1), sq-pki(1), sq-pki-vouch(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-pki-vouch-authorize&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help