Provided by: sq_0.40.0-1_amd64 
NAME
sq pki vouch authorize - Mark a certificate as a trusted introducer
SYNOPSIS
sq pki vouch authorize [OPTIONS]
DESCRIPTION
Mark a certificate as a trusted introducer.
Creates a certification that says that the issuer considers the certificate to be a
trusted introducer. Trusted introducer is another word for certification authority (CA).
When a user relies on a trusted introducer, the user considers certifications made by the
trusted introducer to be valid. A trusted introducer can also designate further trusted
introducers.
As is, a trusted introducer has a lot of power. This power can be limited in several
ways.
- The ability to specify further introducers can be constrained using the `--depth`
parameter.
- The degree to which an introducer is trusted can be changed using the `--amount`
parameter.
- The user IDs that an introducer can certify can be constrained by domain using the
`--domain` parameter or a regular expression using the `--regex` parameter.
These mechanisms allow Alice to say that she is willing to rely on the CA for example.org,
but only for user IDs that have an email address for example.org, for instance.
By default a delegation expires after 5 years. Use the `--expiration` argument to override
this.
This subcommand respects the reference time set by the top-level `--time` argument. It
sets the certification's creation time to the reference time.
OPTIONS
Subcommand options
--all Use all self-signed user IDs
--allow-non-canonical-userids
Don't reject new user IDs that are not in canonical form.
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
--amount=AMOUNT
Set the amount of trust. Values between 1 and 120 are meaningful. 120 means fully
trusted. Values less than 120 indicate the degree of trust. 60 is usually used
for partially trusted.
[default: full]
--cert=FINGERPRINT|KEYID
Use certificates with the specified fingerprint or key ID
--cert-file=PATH
Read certificates from PATH
--certifier=FINGERPRINT|KEYID
Create the certification using the key with the specified fingerprint or key ID
--certifier-email=EMAIL
Create the certification using the key where a user ID includes the specified email
address
--certifier-file=PATH
Create the certification using the key read from PATH
--certifier-userid=USERID
Create the certification using the key with the specified user ID
--depth=TRUST_DEPTH
Set the trust depth (sometimes referred to as the trust level). 1 means
CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a
meta-trusted introducer and can authorize another trusted introducer, etc.
[default: 1]
--domain=DOMAIN
Add a domain constraint to the introducer.
Add a domain to constrain what certifications are respected. A certification made
by the certificate is only respected if it is over a user ID with an email address
in the specified domain. Multiple domains may be specified. In that case, one
must match.
--email=EMAIL
Use the self-signed user ID with the specified email address
--email-or-add=EMAIL
Use a user ID with the specified email address.
This first searches for a matching self-signed user ID. If there is no self-signed
user ID with the specified email address, it uses a new user ID with the specified
email address, and no display name.
--expiration=EXPIRATION
Sets the expiration time.
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom
duration. A duration takes the form `N[ymwds]`, where the letters stand for years,
months, weeks, days, and seconds, respectively. Alternatively, the keyword `never`
does not set an expiration time.
[default: 5y]
--local
Make the certification a local certification. Normally, local certifications are
not exported.
--non-revocable
Mark the certification as being non-revocable. That is, you cannot later revoke
this certification. This should normally only be used with an expiration.
--output=FILE
Write to FILE or stdout if omitted
--regex=REGEX
Add a regular expression to constrain the introducer.
Add a regular expression to constrain what certifications are respected. A
certification made by the certificate is only respected if it is over a user ID
that matches one of the specified regular expression. Multiple regular expressions
may be specified. In that case, at least one must match.
--signature-notation NAME VALUE
Add a notation to the certification. A user-defined notation's name must be of the
form `name@a.domain.you.control.org`. If the notation's name starts with a !, then
the notation is marked as being critical. If a consumer of a signature doesn't
understand a critical notation, then it will ignore the signature. The notation is
marked as being human readable.
--unconstrained
Don't constrain the introducer.
Normally an introducer is constrained so that only certain user IDs are respected,
e.g., those that have an email address for a certain domain name. This option
authorizes an introducer without constraining it in this way. Because this grants
the introducer a lot of power, you have to opt in to this behavior explicitly.
--userid=USERID
Use the specified self-signed user ID.
The specified user ID must be self signed.
--userid-or-add=USERID
Use the specified user ID.
The specified user ID does not need to be self signed.
Because using a user ID that is not self-signed is often a mistake, you need to use
this option to explicitly opt in. That said, certifying a user ID that is not
self-signed is useful. For instance, you can associate an alternate email address
with a certificate, or you can add a petname, i.e., a memorable, personal name like
"mom".
Global options
See sq(1) for a description of the global options.
EXAMPLES
Certify that E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F is a trusted introducer for
example.org and example.com.
sq pki vouch authorize \
--certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--cert=E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F \
--domain=example.org --domain=example.com --all
SEE ALSO
sq(1), sq-pki(1), sq-pki-vouch(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.40.0 (sequoia-openpgp 1.21.2)