Provided by: sq_1.3.1-2_amd64 bug

NAME
       sq-pki-vouch-add - Certify a User ID for a Certificate


SYNOPSIS
       sq pki vouch add [OPTIONS]


DESCRIPTION
       Certify a User ID for a Certificate.

       Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to
       a  user  id.   In  the  context  of emails this means that the same entity controls the key and the email
       address.  These kind of certifications form the basis for the Web of Trust.

       This command emits the certificate with the  new  certification.   The  updated  certificate  has  to  be
       distributed,  preferably  by  sending  it  to  the  certificate  holder  for  approval.  See also `sq key
       approvals`.

       By default a certification expires after 10 years. Using the `--expiration`  argument  specific  validity
       periods  may  be  defined.  It  allows  for  providing  a point in time for validity to end or a validity
       duration.

       `sq pki vouch add` respects the reference time set by the  top-level  `--time`  argument.   It  sets  the
       certification's creation time to the reference time.


OPTIONS
   Subcommand options
       --add-email=EMAIL
              Use a user ID with the specified email address

              The  user  ID  consists of just the email address.  The email address does not have to appear in a
              self-signed user ID.

       --add-userid=USERID
              Use the specified user ID

              The specified user ID does not need to be self signed.

              Because using a user ID that is not self-signed is often a mistake, you need to use this option to
              explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
              Don't reject new user IDs that are not in canonical form

              Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

       --amount=AMOUNT
              Set the amount of trust

              Values between 1 and 120 are meaningful.  120 means fully trusted.  Values less than 120  indicate
              the degree of trust.  60 is usually used for partially trusted.

              [default: full]

       --cert=FINGERPRINT|KEYID
              Use certificates with the specified fingerprint or key ID

       --cert-file=PATH
              Read certificates from PATH

       --certifier=FINGERPRINT|KEYID
              Create the certification using the key with the specified fingerprint or key ID

       --certifier-email=EMAIL
              Create the certification using the key where a user ID includes the specified email address

       --certifier-file=PATH
              Create the certification using the key read from PATH

       --certifier-self
              Create the certification using your default certification key

              This  uses  the  certificates  set  in  the configuration file under `pki.vouch.certifier-self` as
              certification key.

              Currently, there is no default certification key.

       --certifier-userid=USERID
              Create the certification using the key with the specified user ID

       --email=EMAIL
              Use a user ID consisting of just the email address, if the email address occurs in  a  self-signed
              user ID

       --expiration=EXPIRATION
              Sets the expiration time

              EXPIRATION  is  either  an  ISO 8601 formatted date with an optional time or a custom duration.  A
              duration takes the form `N[ymwds]`, where the letters stand for years, months,  weeks,  days,  and
              seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

              The default can be changed in the configuration file using the setting `pki.vouch.expiration`.

              [default: 10y]

       --local
              Make the certification a local certification

              Normally, local certifications are not exported.

       --non-revocable
              Mark the certification as being non-revocable

              That  is,  you  cannot later revoke this certification.  This should normally only be used with an
              expiration.

       --output=FILE
              Write to FILE or stdout if omitted

       --signature-notation NAME VALUE
              Add a notation to the signature

              A user-defined notation's name  must  be  of  the  form  `name@a.domain.you.control.org`.  If  the
              notation's  name  starts with a `!`, then the notation is marked as being critical.  If a consumer
              of a signature doesn't understand a critical notation, then it will  ignore  the  signature.   The
              notation is marked as being human readable.

       --userid=USERID
              Use the specified self-signed user ID

              The specified user ID must be self signed.

       --userid-by-email=EMAIL
              Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Alice certifies that Bob controls 3F68CB84CE537C9A and bob@example.org.

              sq pki vouch add \
                     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
                     --email=bob@example.org

       Alice certifies that Bob controls 3F68CB84CE537C9A and bob@bobs.lair.net, which is not a self-signed user
       ID.

              sq pki vouch add \
                     --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \
                     --add-email=bob@bobs.lair.net


SEE ALSO
       sq(1), sq-pki(1), sq-pki-vouch(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.


VERSION
       1.3.1

Sequoia PGP                                           1.3.1                                                SQ(1)