NAME

       sq pki vouch add - Certify a User ID for a Certificate

SYNOPSIS

       sq pki vouch add [OPTIONS]

DESCRIPTION

       Certify a User ID for a Certificate.

       Using  a  certification  a  keyholder  may  vouch  for  the  fact that another certificate
       legitimately belongs to a user id.  In the context of emails  this  means  that  the  same
       entity  controls  the  key  and  the email address.  These kind of certifications form the
       basis for the Web of Trust.

       This command emits the certificate with the new certification.   The  updated  certificate
       has  to  be  distributed, preferably by sending it to the certificate holder for approval.
       See also `sq key approvals`.

       By default a certification expires  after  5  years.  Using  the  `--expiration`  argument
       specific  validity  periods  may  be  defined. It allows for providing a point in time for
       validity to end or a validity duration.

       `sq pki vouch add` respects the reference time set by the top-level `--time` argument.  It
       sets the certification's creation time to the reference time.

OPTIONS

   Subcommand options
       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
              Don't reject new user IDs that are not in canonical form.

              Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

       --amount=AMOUNT
              Set  the amount of trust.  Values between 1 and 120 are meaningful. 120 means fully
              trusted.  Values less than 120 indicate the degree of trust.  60  is  usually  used
              for partially trusted.

              [default: full]

       --cert=FINGERPRINT|KEYID
              Use certificates with the specified fingerprint or key ID

       --cert-file=PATH
              Read certificates from PATH

       --certifier=FINGERPRINT|KEYID
              Create the certification using the key with the specified fingerprint or key ID

       --certifier-email=EMAIL
              Create the certification using the key where a user ID includes the specified email
              address

       --certifier-file=PATH
              Create the certification using the key read from PATH

       --certifier-userid=USERID
              Create the certification using the key with the specified user ID

       --email=EMAIL
              Use the self-signed user ID with the specified email address

       --email-or-add=EMAIL
              Use a user ID with the specified email address.

              This first searches for a matching self-signed user ID.  If there is no self-signed
              user  ID with the specified email address, it uses a new user ID with the specified
              email address, and no display name.

       --expiration=EXPIRATION
              Sets the expiration time.

              EXPIRATION is either an ISO 8601 formatted date with an optional time or  a  custom
              duration.  A duration takes the form `N[ymwds]`, where the letters stand for years,
              months, weeks, days, and seconds, respectively. Alternatively, the keyword  `never`
              does not set an expiration time.

              [default: 5y]

       --local
              Make  the  certification a local certification.  Normally, local certifications are
              not exported.

       --non-revocable
              Mark the certification as being non-revocable. That is,  you  cannot  later  revoke
              this certification.  This should normally only be used with an expiration.

       --output=FILE
              Write to FILE or stdout if omitted

       --signature-notation NAME VALUE
              Add a notation to the certification.  A user-defined notation's name must be of the
              form `name@a.domain.you.control.org`. If the notation's name starts with a !,  then
              the  notation  is  marked  as being critical.  If a consumer of a signature doesn't
              understand a critical notation, then it will ignore the signature.  The notation is
              marked as being human readable.

       --userid=USERID
              Use the specified self-signed user ID.

              The specified user ID must be self signed.

       --userid-or-add=USERID
              Use the specified user ID.

              The specified user ID does not need to be self signed.

              Because using a user ID that is not self-signed is often a mistake, you need to use
              this option to explicitly opt in.  That said, certifying a  user  ID  that  is  not
              self-signed  is useful.  For instance, you can associate an alternate email address
              with a certificate, or you can add a petname, i.e., a memorable, personal name like
              "mom".

   Global options
       See sq(1) for a description of the global options.

EXAMPLES

       Alice certifies that Bob controls 3F68CB84CE537C9A and bob@example.org.

              sq pki vouch add \
                     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
                     --email=bob@example.org

       Alice  certifies  that Bob controls 3F68CB84CE537C9A and bob@bobs.lair.net, which is not a
       self-signed user ID.

              sq pki vouch add \
                     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
                     --email-or-add=bob@bobs.lair.net

SEE ALSO

       sq(1), sq-pki(1), sq-pki-vouch(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION

       0.40.0 (sequoia-openpgp 1.21.2)