Provided by: sq_1.3.1-2_amd64 bug

NAME
       sq-pki-link-authorize - Make a certificate a trusted introducer


SYNOPSIS
       sq pki link authorize [OPTIONS]


DESCRIPTION
       Make a certificate a trusted introducer.

       This  causes  `sq`  to  consider  the certificate to be a be a trusted introducer.  Trusted introducer is
       another word for certification authority  (CA).   When  you  link  a  trusted  introducer,  you  consider
       certifications  made  by  the  trusted  introducer  to be valid.  A trusted introducer can also designate
       further trusted introducers.

       As is, a trusted introducer has a lot of power.  This power can be limited in several ways.

         - The ability to specify further introducers can be constrained using the `--depth` parameter.

         - The degree to which an introducer is trusted can be changed using the `--amount` parameter.

         - The user IDs that an introducer can certify  can  be  constrained  by  domain  using  the  `--domain`
       parameter or a regular expression using the `--regex` parameter.

       These  mechanisms  allow  you to say that you are willing to rely on the CA for example.org, but only for
       user IDs that have an email address for example.org, for instance.

       A link can be retracted using `sq pki link retract`.

       This command is similar to `sq pki vouch authorize`, but the certifications it makes are done  using  the
       certificate  directory's  trust  root,  not  an  arbitrary  key.  Further, the certificates are marked as
       non-exportable.  The former makes it easier to manage certifications, especially when your  certification
       key  is  offline.  And the latter improves your privacy, by reducing the chance that parts of your social
       graph are leaked when a certificate is shared.

       By default a link never expires.  Using the `--expiration` argument  specific  validity  periods  may  be
       defined.  It allows for providing a point in time for validity to end or a validity duration.

       `sq  pki  link authorize` respects the reference time set by the top-level `--time` argument. It sets the
       link's creation time to the reference time.


OPTIONS
   Subcommand options
       --add-email=EMAIL
              Use a user ID with the specified email address

              The user ID consists of just the email address.  The email address does not have to  appear  in  a
              self-signed user ID.

       --add-userid=USERID
              Use the specified user ID

              The specified user ID does not need to be self signed.

              Because using a user ID that is not self-signed is often a mistake, you need to use this option to
              explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
              Don't reject new user IDs that are not in canonical form

              Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

       --amount=AMOUNT
              Set the amount of trust

              Values  between  1 and 120 are meaningful. 120 means fully trusted.  Values less than 120 indicate
              the degree of trust.  60 is usually used for partially trusted.

              [default: full]

       --cert=FINGERPRINT|KEYID
              Use certificates with the specified fingerprint or key ID

       --cert-special=SPECIAL
              Use certificates identified by the special name

              [possible values: public-directories, keys.openpgp.org, keys.mailvelope.com, proton.me, wkd, dane,
              autocrypt, web]

       --depth=TRUST_DEPTH
              Set the trust depth

              This is sometimes referred to as the trust level.  1 means CERTIFICATE  is  a  trusted  introducer
              (default),  2  means  CERTIFICATE  is  a meta-trusted introducer and can authorize another trusted
              introducer, etc.

              [default: 255]

       --domain=DOMAIN
              Add a domain constraint to the introducer

              Add a domain to constrain  what  certifications  are  respected.   A  certification  made  by  the
              certificate  is  only  respected  if  it  is over a user ID with an email address in the specified
              domain.  Multiple domains may be specified.  In that case, one must match.

       --email=EMAIL
              Use a user ID consisting of just the email address, if the email address occurs in  a  self-signed
              user ID

       --expiration=EXPIRATION
              Sets the expiration time

              EXPIRATION  is  either  an  ISO 8601 formatted date with an optional time or a custom duration.  A
              duration takes the form `N[ymwds]`, where the letters stand for years, months,  weeks,  days,  and
              seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

              [default: never]

       --recreate
              Recreate the signature even if the parameters did not change

              If  the  link parameters did not change, and thus creating a signature should not be necessary, we
              omit the operation.  This flag can be given to force the signature to be recreated anyway.

       --regex=REGEX
              Add a regular expression to constrain the introducer

              Add a regular expression to constrain what certifications are respected.  A certification made  by
              the  certificate  is  only  respected  if  it  is over a user ID that matches one of the specified
              regular expression.  Multiple regular expressions may be specified.  In that case,  at  least  one
              must match.

       --signature-notation NAME VALUE
              Add a notation to the signature

              A  user-defined  notation's  name  must  be  of  the  form `name@a.domain.you.control.org`. If the
              notation's name starts with a `!`, then the notation is marked as being critical.  If  a  consumer
              of  a  signature  doesn't  understand a critical notation, then it will ignore the signature.  The
              notation is marked as being human readable.

       --unconstrained
              Don't constrain the introducer

              Normally an introducer is constrained so that only certain user IDs  are  respected,  e.g.,  those
              that  have  an  email  address  for  a  certain domain name.  This option authorizes an introducer
              without constraining it in this way.  Because this grants the introducer a lot of power, you  have
              to opt in to this behavior explicitly.

       --userid=USERID
              Use the specified self-signed user ID

              The specified user ID must be self signed.

       --userid-by-email=EMAIL
              Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Add an unconstrained trusted introducer.

              sq pki link authorize --unconstrained \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all

       Add a trusted introducer for example.org and example.com.

              sq pki link authorize --domain=example.org \
                     --domain=example.com \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all

       Add a partially trusted introducer.

              sq pki link authorize --unconstrained --amount=60 \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all


SEE ALSO
       sq(1), sq-pki(1), sq-pki-link(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.


VERSION
       1.3.1

Sequoia PGP                                           1.3.1                                                SQ(1)