NAME

       sq pki link - Manage authenticated certificate and User ID links

SYNOPSIS

       sq pki link add [OPTIONS] FINGERPRINT|KEYID USERID|EMAIL
       sq pki link retract [OPTIONS] FINGERPRINT|KEYID USERID|EMAIL
       sq pki link list [OPTIONS]

DESCRIPTION

       Manage authenticated certificate and User ID links.

       Link a certificate and User ID is one way of making `sq` consider a binding to be authentic.  Another way
       is to use `sq pki certify` to certify the binding with an explicitly configured trust root.  The  linking
       functionality is often easier to work with, and the information is private by default.

       Authenticated bindings can be used to designate a certificate using a symbolic name.  For instance, using
       `sq encrypt`'s `--recipient-userid` and `--recipient-email` options, a user can designate  a  certificate
       using a User ID or an email address that is authenticated for that certificate.

       `sq`  also  uses  authenticated  certificates  to  authenticate  other  data.   For instance, `sq verify`
       considers signatures made by an authenticated certificate to be authentic.

       Users can create a link using `sq pki link add`.  That link can later be retracted  using  `sq  pki  link
       retract`.  A certificate can also be accepted as a trusted introducer by passing the `--ca` option to `sq
       pki link add`.

       `sq` implements linking using non-exportable certifications, and an  implicit  trust  root.   An  OpenPGP
       certificate  directory, the default certificate store used by `sq`, includes a local trust root, which is
       stored under the `trust-root` special name.  When the user instructs `sq` to accept a binding, `sq`  uses
       the  local  trust  root  to  create  a  non-exportable  certification, which it stores in the certificate
       directory.  In this way, operations that use the Web of Trust to authenticate a binding automatically use
       links.

       When  a  user  retracts  a  link, `sq` creates a new, non-exportable certification with zero trust.  This
       certification suppresses the previous link.

SUBCOMMANDS

   sq pki link add
       Link a certificate and a User ID.

       This cause `sq` to considers the certificate and User ID binding to be authentic.

       A certificate can also be accepted as a certification  authority,  which  is  also  known  as  a  trusted
       introducer, by using the `--ca` or `--depth` option.

       A link can be retracted using `sq pki link retract`.

       This  command  is  similar  to  `sq  pki  certify`,  but  the  certifications it makes are done using the
       certificate directory's trust root, not an arbitrary  key.   Further,  the  certificates  are  marked  as
       non-exportable.   The  former  makes  it  easier  to  manage  certifications,  especially when the user's
       certification key is offline.  And the latter improves the user's privacy, by reducing  the  chance  that
       parts of the user's social graph is leaked when a certificate is shared.

       By default a link never expires.  Using the `--expiry` argument specific validity periods may be defined.
       It allows for providing a point in time for validity to end or a validity duration.

       `sq pki link` respects the reference time set by the top-level `--time`  argument.  It  sets  the  link's
       creation time to the reference time.

   sq pki link retract
       Retract links.

       This  command retracts links that were previously created using `sq pki link add`.  See that subcommand's
       documentation for  more  details.   Note:  this  is  called  `retract`  and  not  `remove`,  because  the
       certifications  are  not  removed.  Instead a new certification is added, which says that the binding has
       not been authenticated.

       `sq pki link retract` respects the reference time set by the top-level `--time` argument.  This causes  a
       link to be retracted as of a particular time instead of the current time.

   sq pki link list
       List links.

       This command lists all bindings that are linked or whose link has been retracted.

EXAMPLES

   sq pki link add
       The user links 0123456789ABCDEF and the User ID '<romeo@example.org>'.

              sq pki link add 0123456789ABCDEF '<romeo@example.org>'

       The user examines 0123456789ABCDEF and then accepts the certificate 0123456789ABCDEF with its current set
       of self-signed User IDs.

              sq cert export --cert 0123456789ABCDEF | sq inspect

       ...

              sq pki link add 0123456789ABCDEF --all

       The user links the certificate and its current self-signed User IDs for a week.

              sq pki link add --expires-in 1w 0123456789ABCDEF --all

       The user accepts the certificate, and its current self-signed User  IDs  as  a  certification  authority.
       That is, the certificate is considered a trust root.

              sq pki link add --ca '*' 0123456789ABCDEF --all

       The  user  accepts  the  certificate  and  its  current  self-signed  User  IDs  as  a  partially trusted
       certification authority.

              sq pki link add --ca '*' --amount 60 0123456789ABCDEF --all

       The user retracts their acceptance of 0123456789ABCDEF and any associated  User  IDs.   This  effectively
       invalidates any links.

              sq pki link retract 0123456789ABCDEF

SEE ALSO

       sq(1), sq-pki(1), sq-pki-link-add(1), sq-pki-link-retract(1), sq-pki-link-list(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION

       0.34.0 (sequoia-openpgp 1.19.0)