Provided by: sq_1.3.1-2_amd64 bug

NAME
       sq-pki-vouch-authorize - Mark a certificate as a trusted introducer


SYNOPSIS
       sq pki vouch authorize [OPTIONS]


DESCRIPTION
       Mark a certificate as a trusted introducer.

       Creates  a  certification that says that the issuer considers the certificate to be a trusted introducer.
       Trusted introducer is another word for certification authority (CA).  When a user  relies  on  a  trusted
       introducer,  the  user  considers  certifications  made by the trusted introducer to be valid.  A trusted
       introducer can also designate further trusted introducers.

       As is, a trusted introducer has a lot of power.  This power can be limited in several ways.

         - The ability to specify further introducers can be constrained using the `--depth` parameter.

         - The degree to which an introducer is trusted can be changed using the `--amount` parameter.

         - The user IDs that an introducer can certify  can  be  constrained  by  domain  using  the  `--domain`
       parameter or a regular expression using the `--regex` parameter.

       These  mechanisms  allow Alice to say that she is willing to rely on the CA for example.org, but only for
       user IDs that have an email address for example.org, for instance.

       By default a delegation expires after 10 years. Use the `--expiration` argument to override this.

       This subcommand respects the reference time  set  by  the  top-level  `--time`  argument.   It  sets  the
       certification's creation time to the reference time.


OPTIONS
   Subcommand options
       --add-email=EMAIL
              Use a user ID with the specified email address

              The  user  ID  consists of just the email address.  The email address does not have to appear in a
              self-signed user ID.

       --add-userid=USERID
              Use the specified user ID

              The specified user ID does not need to be self signed.

              Because using a user ID that is not self-signed is often a mistake, you need to use this option to
              explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
              Don't reject new user IDs that are not in canonical form

              Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

       --amount=AMOUNT
              Set the amount of trust

              Values between 1 and 120 are meaningful. 120 means fully trusted.  Values less than  120  indicate
              the degree of trust.  60 is usually used for partially trusted.

              [default: full]

       --cert=FINGERPRINT|KEYID
              Use certificates with the specified fingerprint or key ID

       --cert-file=PATH
              Read certificates from PATH

       --certifier=FINGERPRINT|KEYID
              Create the certification using the key with the specified fingerprint or key ID

       --certifier-email=EMAIL
              Create the certification using the key where a user ID includes the specified email address

       --certifier-file=PATH
              Create the certification using the key read from PATH

       --certifier-self
              Create the certification using your default certification key

              This  uses  the  certificates  set  in  the configuration file under `pki.vouch.certifier-self` as
              certification key.

              Currently, there is no default certification key.

       --certifier-userid=USERID
              Create the certification using the key with the specified user ID

       --depth=TRUST_DEPTH
              Set the trust depth

              This is sometimes referred to as the trust level.  1 means CERTIFICATE  is  a  trusted  introducer
              (default),  2  means  CERTIFICATE  is  a meta-trusted introducer and can authorize another trusted
              introducer, etc.

              [default: 1]

       --domain=DOMAIN
              Add a domain constraint to the introducer

              Add a domain to constrain  what  certifications  are  respected.   A  certification  made  by  the
              certificate  is  only  respected  if  it  is over a user ID with an email address in the specified
              domain.  Multiple domains may be specified.  In that case, one must match.

       --email=EMAIL
              Use a user ID consisting of just the email address, if the email address occurs in  a  self-signed
              user ID

       --expiration=EXPIRATION
              Sets the expiration time

              EXPIRATION  is  either  an  ISO 8601 formatted date with an optional time or a custom duration.  A
              duration takes the form `N[ymwds]`, where the letters stand for years, months,  weeks,  days,  and
              seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

              The default can be changed in the configuration file using the setting `pki.vouch.expiration`.

              [default: 10y]

       --local
              Make the certification a local certification

              Normally, local certifications are not exported.

       --non-revocable
              Mark the certification as being non-revocable

              That  is,  you  cannot later revoke this certification.  This should normally only be used with an
              expiration.

       --output=FILE
              Write to FILE or stdout if omitted

       --regex=REGEX
              Add a regular expression to constrain the introducer

              Add a regular expression to constrain what certifications are respected.  A certification made  by
              the  certificate  is  only  respected  if  it  is over a user ID that matches one of the specified
              regular expression.  Multiple regular expressions may be specified.  In that case,  at  least  one
              must match.

       --signature-notation NAME VALUE
              Add a notation to the signature

              A  user-defined  notation's  name  must  be  of  the  form `name@a.domain.you.control.org`. If the
              notation's name starts with a `!`, then the notation is marked as being critical.  If  a  consumer
              of  a  signature  doesn't  understand a critical notation, then it will ignore the signature.  The
              notation is marked as being human readable.

       --unconstrained
              Don't constrain the introducer

              Normally an introducer is constrained so that only certain user IDs  are  respected,  e.g.,  those
              that  have  an  email  address  for  a  certain domain name.  This option authorizes an introducer
              without constraining it in this way.  Because this grants the introducer a lot of power, you  have
              to opt in to this behavior explicitly.

       --userid=USERID
              Use the specified self-signed user ID

              The specified user ID must be self signed.

       --userid-by-email=EMAIL
              Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Certify  that  E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F  is  a  trusted  introducer  for  example.org and
       example.com.

              sq pki vouch authorize \
                     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --cert=E7FC51AD886BBB5C4F44C3D7A9DA14F3E740F63F \
                     --domain=example.org --domain=example.com --all


SEE ALSO
       sq(1), sq-pki(1), sq-pki-vouch(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.


VERSION
       1.3.1

Sequoia PGP                                           1.3.1                                                SQ(1)