Provided by: sq_0.40.0-1_amd64 
NAME
sq pki link - Manage authenticated certificate and User ID links
SYNOPSIS
sq pki link add [OPTIONS]
sq pki link authorize [OPTIONS]
sq pki link retract [OPTIONS]
sq pki link list [OPTIONS]
DESCRIPTION
Manage authenticated certificate and User ID links.
Linking a certificate and User ID is one way of making `sq` consider a binding to be
authentic. Another way is to use `sq pki vouch certify` to certify the binding with an
explicitly configured trust root. The linking functionality is often easier to work with,
and the information is private by default.
Authenticated bindings can be used to designate a certificate using a symbolic name. For
instance, using `sq encrypt`'s `--for-userid` and `--for-email` options, a user can
designate a certificate using a User ID or an email address that is authenticated for that
certificate.
`sq` also uses authenticated certificates to authenticate other data. For instance, `sq
verify` considers signatures made by an authenticated certificate to be authentic.
Users can create a link using `sq pki link add`. That link can later be retracted using
`sq pki link retract`. A certificate can also be accepted as a trusted introducer by
using `sq pki link authorize`.
`sq` implements linking using non-exportable certifications, and an implicit trust root.
An OpenPGP certificate directory, the default certificate store used by `sq`, includes a
local trust root, which is stored under the `trust-root` special name. When the user
instructs `sq` to accept a binding, `sq` uses the local trust root to create a
non-exportable certification, which it stores in the certificate directory. In this way,
operations that use the Web of Trust to authenticate a binding automatically use links.
When a user retracts a link, `sq` creates a new, non-exportable certification with zero
trust. This certification suppresses the previous link.
SUBCOMMANDS
sq pki link add
Link a certificate and a user ID.
This causes `sq` to consider the certificate and user ID binding to be authentic. You
would do this if you are confident that a particular certificate should be associated with
Alice, for example. Note: this does not consider the certificate to be a trusted
introducer; it only considers the binding to be authentic. To authorize a certificate to
be a trusted introducer use `sq pki link authorize`.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch certify`, but the certifications it makes are
done using the certificate directory's trust root, not an arbitrary key. Further, the
certificates are marked as non-exportable. The former makes it easier to manage
certifications, especially when the user's certification key is offline. And the latter
improves the user's privacy, by reducing the chance that parts of the user's social graph
is leaked when a certificate is shared.
By default a link never expires. This can be overridden using `--expiration` argument.
`sq pki link add` respects the reference time set by the top-level `--time` argument. It
sets the link's creation time to the reference time.
sq pki link authorize
Make a certificate a trusted introducer.
This causes `sq` to consider the certificate to be a be a trusted introducer. Trusted
introducer is another word for certification authority (CA). When you link a trusted
introducer, you consider certifications made by the trusted introducer to be valid. A
trusted introducer can also designate further trusted introducers.
As is, a trusted introducer has a lot of power. This power can be limited in several
ways.
- The ability to specify further introducers can be constrained using the `--depth`
parameter.
- The degree to which an introducer is trusted can be changed using the `--amount`
parameter.
- The user IDs that an introducer can certify can be constrained by domain using the
`--domain` parameter or a regular expression using the `--regex` parameter.
These mechanisms allow you to say that you are willing to rely on the CA for example.org,
but only for user IDs that have an email address for example.org, for instance.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch authorize`, but the certifications it makes are
done using the certificate directory's trust root, not an arbitrary key. Further, the
certificates are marked as non-exportable. The former makes it easier to manage
certifications, especially when your certification key is offline. And the latter
improves your privacy, by reducing the chance that parts of your social graph are leaked
when a certificate is shared.
By default a link never expires. Using the `--expiration` argument specific validity
periods may be defined. It allows for providing a point in time for validity to end or a
validity duration.
`sq pki link authorize` respects the reference time set by the top-level `--time`
argument. It sets the link's creation time to the reference time.
sq pki link retract
Retract links.
This command retracts links that were previously created using `sq pki link add` or `sq
pki link authorize`. See that subcommand's documentation for more details. Note: this is
called `retract` and not `remove`, because the certifications are not removed. Instead a
new certification is added, which says that the binding has not been authenticated.
`sq pki link retract` respects the reference time set by the top-level `--time` argument.
This causes a link to be retracted as of a particular time instead of the current time.
sq pki link list
List links.
This command lists all bindings that are linked or whose link has been retracted.
EXAMPLES
sq pki link add
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address
alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
First, examine the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0.
sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
Then, temporarily accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all
of its self-signed user IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Once satisfied, permanently accept the certificate
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link authorize
Add an unconstrained trusted introducer.
sq pki link authorize --unconstrained \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a trusted introducer for example.org and example.com.
sq pki link authorize --domain=example.org \
--domain=example.com \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a partially trusted introducer.
sq pki link authorize --unconstrained --amount=60 \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link retract
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address
alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and the
email address alice@example.org.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and any
associated user IDs. This effectively invalidates all links.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
sq pki link list
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address
alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
List all links.
sq pki link list
List all links in the example.org domain.
sq pki link list --cert-domain=example.org
SEE ALSO
sq(1), sq-pki(1), sq-pki-link-add(1), sq-pki-link-authorize(1), sq-pki-link-retract(1),
sq-pki-link-list(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.40.0 (sequoia-openpgp 1.21.2)