Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq pki authenticate - Authenticate a binding

SYNOPSIS
       sq pki authenticate [OPTIONS] FINGERPRINT|KEYID USERID

DESCRIPTION
       Authenticate a binding.

       Authenticate  a	binding	 (a  certificate and User ID) by looking for a
       path from the trust roots to the	specified binding in the Web of	Trust.
       Because certifications may express  uncertainty	(i.e.,	certifications
       may  be	marked	as conveying only partial or marginal trust), multiple
       paths may be needed.

       If a binding could be authenticated to the specified level (by default:
       fully authenticated, i.e., a trust amount of 120), then the exit	status
       is 0.  Otherwise	the exit status	is 1.

       If any valid paths to the binding are found, they are printed on	stdout
       whether they are	sufficient to authenticate the binding or not.

OPTIONS
   Subcommand options
       -a, --amount=AMOUNT
	      The required amount of trust.

	      120 indicates full authentication; values	less than 120 indicate
	      partial  authentication.	 When	`--certification-network`   is
	      passed,  this  defaults to 1200, i.e., `sq pki` tries to find 10
	      paths.

       --certification-network
	      Treats the network as a certification network.

	      Normally,	`sq pki` treats	the Web	of Trust network as an authen-
	      tication network where a certification only means	that the bind-
	      ing is correct, not that the  target  should  be	treated	 as  a
	      trusted  introducer.  In a certification network,	the targets of
	      certifications are treated as trusted introducers	with  infinite
	      depth,  and any regular expressions are ignored. Note: The trust
	      amount remains  unchanged.   This	 is  how  most	so-called  PGP
	      path-finding algorithms work.

       --email
	      Changes  the  USERID parameter to	match User IDs with the	speci-
	      fied email address.

	      Interprets the USERID parameter as an email  address,  which  is
	      then used	to select User IDs with	that email address.

	      Unlike  when  comparing User IDs,	email addresses	are first nor-
	      malized by the domain to ASCII using IDNA2008  Punycode  conver-
	      sion,  and then converting the resulting email address to	lower-
	      case using the empty locale.

	      If multiple User IDs match, they are each	 considered  in	 turn,
	      and  this	function returns success if at least one of those User
	      IDs can be authenticated.	 Note: The paths to the	different User
	      IDs are not combined.

       --gossip
	      Treats all certificates as unreliable trust roots.

	      This option is useful for	figuring out what others think about a
	      certificate (i.e., gossip	or hearsay).   In  other  words,  this
	      finds arbitrary paths to a particular certificate.

	      Gossip  is useful	in helping to identify alternative ways	to au-
	      thenticate a certificate.	 For instance, imagine Ed wants	to au-
	      thenticate Laura's certificate, but asking her directly  is  in-
	      convenient.   Ed discovers that Micah has	certified Laura's cer-
	      tificate,	but Ed hasn't yet authenticated	 Micah's  certificate.
	      If  Ed  is willing to rely on Micah as a trusted introducer, and
	      authenticating Micah's certificate is easier than	authenticating
	      Laura's certificate, then	Ed has learned about an	easier way  to
	      authenticate Laura's certificate.

       --show-paths
	      Show why a binding is authenticated.

	      By  default,  only a user	ID and certificate binding's degree of
	      authentication (a	value between  0  and  120)  is	 shown.	  This
	      changes  the  output to also show	how that value was computed by
	      showing the paths	from the trust roots to	the bindings.

	FINGERPRINT|KEYID
	      The fingerprint or Key ID	of the certificate to authenticate

	USERID
	      The User ID to authenticate.

	      This is case sensitive, and must be the whole User ID, not  just
	      a	substring or an	email address.

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Authenticate a specific binding.

	      sq pki authenticate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     "Alice <alice@example.org>"

       Check  whether we can authenticate any user ID with the specified email
       address for the given certificate.

	      sq pki authenticate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --email alice@example.org

SEE ALSO
       sq(1), sq-pki(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION
       0.36.0 (sequoia-openpgp 1.20.0)

Sequoia	PGP			    0.36.0				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-pki-authenticate&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help