Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq pki link - Manage authenticated certificate and User ID links

SYNOPSIS
       sq pki link add [OPTIONS] FINGERPRINT|KEYID USERID|EMAIL
       sq pki link retract [OPTIONS] FINGERPRINT|KEYID USERID|EMAIL
       sq pki link list	[OPTIONS]

DESCRIPTION
       Manage authenticated certificate	and User ID links.

       Link  a	certificate  and  User ID is one way of	making `sq` consider a
       binding to be authentic.	 Another way is	to use	`sq  pki  certify`  to
       certify	the  binding  with  an	explicitly configured trust root.  The
       linking functionality is	often easier to	work with, and the information
       is private by default.

       Authenticated bindings can be used to designate a certificate  using  a
       symbolic	name.  For instance, using `sq encrypt`'s `--recipient-userid`
       and `--recipient-email` options,	a user can designate a certificate us-
       ing  a  User ID or an email address that	is authenticated for that cer-
       tificate.

       `sq` also uses authenticated certificates to authenticate  other	 data.
       For instance, `sq verify` considers signatures made by an authenticated
       certificate to be authentic.

       Users  can  create a link using `sq pki link add`.  That	link can later
       be retracted using `sq pki link retract`.  A certificate	 can  also  be
       accepted	 as  a	trusted	introducer by passing the `--ca` option	to `sq
       pki link	add`.

       `sq` implements linking using non-exportable certifications, and	an im-
       plicit trust root.  An OpenPGP certificate directory, the default  cer-
       tificate	 store	used  by  `sq`,	 includes a local trust	root, which is
       stored under the	`trust-root` special name.  When  the  user  instructs
       `sq`  to	 accept	 a binding, `sq` uses the local	trust root to create a
       non-exportable certification, which it stores in	the certificate	direc-
       tory.  In this way, operations that use the Web of Trust	 to  authenti-
       cate a binding automatically use	links.

       When  a user retracts a link, `sq` creates a new, non-exportable	certi-
       fication	with zero trust.  This certification suppresses	 the  previous
       link.

SUBCOMMANDS
   sq pki link add
       Link a certificate and a	User ID.

       This  cause `sq`	to considers the certificate and User ID binding to be
       authentic.

       A certificate can also be accepted as a certification authority,	 which
       is also known as	a trusted introducer, by using the `--ca` or `--depth`
       option.

       A link can be retracted using `sq pki link retract`.

       This  command is	similar	to `sq pki certify`, but the certifications it
       makes are done using the	certificate directory's	trust root, not	an ar-
       bitrary key.  Further, the certificates are marked  as  non-exportable.
       The  former  makes  it easier to	manage certifications, especially when
       the user's certification	key is offline.	 And the latter	 improves  the
       user's  privacy,	by reducing the	chance that parts of the user's	social
       graph is	leaked when a certificate is shared.

       By default a link never expires.	 Using the  `--expiry`	argument  spe-
       cific validity periods may be defined.  It allows for providing a point
       in time for validity to end or a	validity duration.

       `sq pki link` respects the reference time set by	the top-level `--time`
       argument. It sets the link's creation time to the reference time.

   sq pki link retract
       Retract links.

       This  command retracts links that were previously created using `sq pki
       link add`.  See	that  subcommand's  documentation  for	more  details.
       Note: this is called `retract` and not `remove`,	because	the certifica-
       tions  are  not	removed.   Instead a new certification is added, which
       says that the binding has not been authenticated.

       `sq pki link retract` respects the reference time set by	the  top-level
       `--time`	argument.  This	causes a link to be retracted as of a particu-
       lar time	instead	of the current time.

   sq pki link list
       List links.

       This  command lists all bindings	that are linked	or whose link has been
       retracted.

EXAMPLES
   sq pki link add
       The user	links 0123456789ABCDEF and the User ID '<romeo@example.org>'.

	      sq pki link add 0123456789ABCDEF '<romeo@example.org>'

       The user	examines 0123456789ABCDEF and  then  accepts  the  certificate
       0123456789ABCDEF	with its current set of	self-signed User IDs.

	      sq cert export --cert 0123456789ABCDEF | sq inspect

       ...

	      sq pki link add 0123456789ABCDEF --all

       The user	links the certificate and its current self-signed User IDs for
       a week.

	      sq pki link add --expires-in 1w 0123456789ABCDEF --all

       The  user accepts the certificate, and its current self-signed User IDs
       as a certification authority.  That is, the certificate is considered a
       trust root.

	      sq pki link add --ca '*' 0123456789ABCDEF	--all

       The user	accepts	the certificate	and its	current	self-signed  User  IDs
       as a partially trusted certification authority.

	      sq pki link add --ca '*' --amount	60 0123456789ABCDEF --all

       The  user retracts their	acceptance of 0123456789ABCDEF and any associ-
       ated User IDs.  This effectively	invalidates any	links.

	      sq pki link retract 0123456789ABCDEF

SEE ALSO
       sq(1),	 sq-pki(1),    sq-pki-link-add(1),     sq-pki-link-retract(1),
       sq-pki-link-list(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION
       0.36.0 (sequoia-openpgp 1.20.0)

Sequoia	PGP			    0.36.0				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-pki-link&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help