Provided by: sq_1.3.1-2_amd64 
NAME
sq-pki-link - Manage authenticated certificate and User ID links
SYNOPSIS
sq pki link add [OPTIONS]
sq pki link authorize [OPTIONS]
sq pki link retract [OPTIONS]
sq pki link list [OPTIONS] PATTERN
DESCRIPTION
Manage authenticated certificate and User ID links.
Linking a certificate and User ID is one way of making `sq` consider a binding to be authentic. Another
way is to use `sq pki vouch add` to certify the binding with an explicitly configured trust root. The
linking functionality is often easier to work with, and the information is private by default.
Authenticated bindings can be used to designate a certificate using a symbolic name. For instance, using
`sq encrypt`'s `--for-userid` and `--for-email` options, a user can designate a certificate using a User
ID or an email address that is authenticated for that certificate.
`sq` also uses authenticated certificates to authenticate other data. For instance, `sq verify`
considers signatures made by an authenticated certificate to be authentic.
Users can create a link using `sq pki link add`. That link can later be retracted using `sq pki link
retract`. A certificate can also be accepted as a trusted introducer by using `sq pki link authorize`.
`sq` implements linking using non-exportable certifications, and an implicit trust root. An OpenPGP
certificate directory, the default certificate store used by `sq`, includes a local trust root, which is
stored under the `trust-root` special name. When the user instructs `sq` to accept a binding, `sq` uses
the local trust root to create a non-exportable certification, which it stores in the certificate
directory. In this way, operations that use the Web of Trust to authenticate a binding automatically use
links.
When a user retracts a link, `sq` creates a new, non-exportable certification with zero trust. This
certification suppresses the previous link.
SUBCOMMANDS
sq pki link add
Link a certificate and a user ID.
This causes `sq` to consider the certificate and user ID binding to be authentic. You would do this if
you are confident that a particular certificate should be associated with Alice, for example. Note: this
does not consider the certificate to be a trusted introducer; it only considers the binding to be
authentic. To authorize a certificate to be a trusted introducer use `sq pki link authorize`.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch add`, but the certifications it makes are done using the
certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as
non-exportable. The former makes it easier to manage certifications, especially when the user's
certification key is offline. And the latter improves the user's privacy, by reducing the chance that
parts of the user's social graph is leaked when a certificate is shared.
By default a link never expires. This can be overridden using `--expiration` argument.
`sq pki link add` respects the reference time set by the top-level `--time` argument. It sets the link's
creation time to the reference time.
sq pki link authorize
Make a certificate a trusted introducer.
This causes `sq` to consider the certificate to be a be a trusted introducer. Trusted introducer is
another word for certification authority (CA). When you link a trusted introducer, you consider
certifications made by the trusted introducer to be valid. A trusted introducer can also designate
further trusted introducers.
As is, a trusted introducer has a lot of power. This power can be limited in several ways.
- The ability to specify further introducers can be constrained using the `--depth` parameter.
- The degree to which an introducer is trusted can be changed using the `--amount` parameter.
- The user IDs that an introducer can certify can be constrained by domain using the `--domain`
parameter or a regular expression using the `--regex` parameter.
These mechanisms allow you to say that you are willing to rely on the CA for example.org, but only for
user IDs that have an email address for example.org, for instance.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch authorize`, but the certifications it makes are done using the
certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as
non-exportable. The former makes it easier to manage certifications, especially when your certification
key is offline. And the latter improves your privacy, by reducing the chance that parts of your social
graph are leaked when a certificate is shared.
By default a link never expires. Using the `--expiration` argument specific validity periods may be
defined. It allows for providing a point in time for validity to end or a validity duration.
`sq pki link authorize` respects the reference time set by the top-level `--time` argument. It sets the
link's creation time to the reference time.
sq pki link retract
Retract links.
This command retracts links that were previously created using `sq pki link add` or `sq pki link
authorize`. See that subcommand's documentation for more details. Note: this is called `retract` and not
`remove`, because the certifications are not removed. Instead a new certification is added, which says
that the binding has not been authenticated.
`sq pki link retract` respects the reference time set by the top-level `--time` argument. This causes a
link to be retracted as of a particular time instead of the current time.
sq pki link list
List links.
This command lists all bindings that are linked or whose link has been retracted.
Returns a non-zero exit code if an explicitly designated certificate was never linked.
EXAMPLES
sq pki link
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
Then, temporarily accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its
self-signed user IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user IDs as a
trusted certification authority constrained to the domain example.org. That is, the certificate is
considered a trusted introducer for example.org.
sq pki link authorize --domain=example.org \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
List all links.
sq pki link list
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and any associated user
IDs. This effectively invalidates all links.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link add
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
First, examine the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0.
sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
Then, temporarily accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its
self-signed user IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Once satisfied, permanently accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of
its self-signed user IDs.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link authorize
Add an unconstrained trusted introducer.
sq pki link authorize --unconstrained \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a trusted introducer for example.org and example.com.
sq pki link authorize --domain=example.org \
--domain=example.com \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Add a partially trusted introducer.
sq pki link authorize --unconstrained --amount=60 \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link retract
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--add-email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and the email address
alice@example.org.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
Retract the acceptance of certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 and any associated user
IDs. This effectively invalidates all links.
sq pki link retract \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq pki link list
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.
sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
List all links.
sq pki link list
List links to certificates with an authenticated user ID that contains an email address in the specified
domain.
sq pki link list --cert-domain=example.org
SEE ALSO
sq(1), sq-pki(1), sq-pki-link-add(1), sq-pki-link-authorize(1), sq-pki-link-retract(1),
sq-pki-link-list(1).
For the full documentation see <https://book.sequoia-pgp.org/>.
VERSION
1.3.1
Sequoia PGP 1.3.1 SQ(1)