1sequoia-wot(1) General Commands Manual sequoia-wot(1)
2
6 sequoia-wot - An implementation of OpenPGP's web of trust.
7
9 sequoia-wot [--gpg] [-k|--keyring] [--gpg-keyring] [--network] [--key‐
10 server] [-r|--trust-root] [--gpg-ownertrust] [--gossip] [--certifica‐
11 tion-network] [-a|--trust-amount] [--partial] [--full] [--double]
12 [--time] [--known-notation] [-h|--help] [-V|--version] <subcommands>
13
15 An implementation of OpenPGP's web of trust.
16
18 --gpg Uses gpg's keyring and gpg's trust roots.
19 When this option is set, `sq-wot` reads gpg's keyring and gpg's
21 ownertrust. This is equivalent to passing `--gpg-keyring` and
22 `--gpg-ownertrust`.
23 -k, --keyring=FILE
25 Adds KEYRING to the list of keyrings
26 The keyrings are read at start up and used to build a web of
28 trust network. Note: if a certificate occurs multiple times,
29 the first version is taken; they are not currently merged.
30 --gpg-keyring
32 Adds GnuPG's keyring to the list of keyrings.
33 This option causes `sq-wot` to read gpg's keyring, by parsing
35 the output of `gpg --export --export-options export-local-sigs`.
36 --network
38 Looks up missing certificates over the network.
39 This causes `sq-wot` to look up missing certificates on a key
41 server. The default key server can be overridden using the
42 `--keyserver` option.
43 Certificates fetched from a key server are cached locally in the
45 default cert-d. The default cert-d is also checked prior to
46 fetching a certificate from the key server.
47 --keyserver=KEYSERVER [default: hkps://keyserver.ubuntu.com]
49 Sets the keyserver to use to KEYSERVER.
50 This option only makes sense when used in conjunction with the
52 `--network` option. Currently, it is only possible to set a
53 single keyserver.
54 -r, --trust-root=FINGERPRINT|KEYID
56 Treats the specified certificate as a trust root.
57 It is possible to have multiple trust roots. All trust roots
59 are treated equivalently. This can be combined with `--gpg-own‐
60 ertrust`.
61 --gpg-ownertrust
63 Causes `sq-wot` to use gpg's trust roots as the trust roots.
64 `sq-wot` reads the output of `gpg --export-ownertrust`. It
66 treats gpg's ultimately trusted certificates as fully trust
67 roots. Similar to gpg, it also treats certificates marked as
68 fully and marginally trusted as fully and marginally trusted
69 roots, if a self-signed User ID can be authenticated by an ulti‐
70 mately trusted root.
71 It is possible to set additional trust roots using the
73 `--trust-root` option.
74 --gossip
76 Treats all certificates as unreliable trust roots.
77 This option is useful for figuring out what others think about a
79 certificate (i.e., gossip or hearsay). In other words, this
80 finds arbitrary paths to a particular certificate.
81 Gossip is useful in helping to identify alternative ways to au‐
83 thenticate a certificate. For instance, imagine Ed wants to au‐
84 thenticate Laura's certificate, but asking her directly is in‐
85 convenient. Ed discovers that Micah has certified Laura's cer‐
86 tificate, but Ed hasn't yet authenticated Micah's certificate.
87 If Ed is willing to rely on Micah as a trusted introducer, and
88 authenticating Micah's certificate is easier than authenticating
89 Laura's certificate, then Ed has learned about an easier way to
90 authenticate Laura's certificate.
91 EXAMPLES:
93 # Get gossip about a certificate.{n} $ sq-wot --keyring
95 keyring.pgp \\{n} --gossip identify
96 3217C509292FC67076ECD75C7614269BDDF73B36
97 --certification-network
99 Treats the network as a certification network.
100 Normally, `sq-wot` treats the web-of-trust network as an authen‐
102 tication network where a certification only means that the bind‐
103 ing is correct, not that the target should be treated as a
104 trusted introducer. In a certification network, the targets of
105 certifications are treated as trusted introducers with infinite
106 depth, and any regular expressions are ignored. Note: The trust
107 amount remains unchanged. This is how most so-called pgp
108 path-finding algorithms work.
109 -a, --trust-amount=TRUST_AMOUNT
111 The required amount of trust.
112 120 indicates full authentication; values less than 120 indicate
114 partial authentication. When `--certification-network` is
115 passed, this defaults to 1200, i.e., sq-wot tries to find 10
116 paths.
117 --partial
119 Require partial authentication.
120 This is the same as passing `--trust-amount 40`.
122 --full Require full authentication.
124 This is the same as passing `--trust-amount 120`.
126 --double
128 Require double authentication.
129 This is the same as passing `--trust-amount 240`.
131 --time=TIME
133 Sets the reference time to TIME.
134 TIME is interpreted as an ISO 8601 timestamp. To set the refer‐
136 ence time to July 21, 2013 at midnight UTC, you can do:
137 $ sq-wot --time 20130721 CMD ...
139 To include a time, add a T, the time and optionally the timezone
141 (the default timezone is UTC):
142 $ sq-wot --time 20130721T0550+0200 CMD ...
144 --known-notation=KNOWN_NOTATION
146 Adds NOTATION to the list of known notations
147 This is used when validating signatures. Signatures that have
149 unknown notations with the critical bit set are considered in‐
150 valid.
151 -h, --help
153 Print help (see a summary with '-h')
154 -V, --version
156 Print version
157
159 sequoia-wot-authenticate(1)
160 Authenticate a binding
161 sequoia-wot-lookup(1)
163 Lookup the certificates associated with a User ID
164 sequoia-wot-identify(1)
166 Identify a certificate
167 sequoia-wot-list(1)
169 List all authenticated bindings (User ID and certificate pairs)
170 sequoia-wot-path(1)
172 Verify the specified path
173 sequoia-wot-help(1)
175 Print this message or the help of the given subcommand(s)
176
178 v0.5.0
179
181 Neal H. Walfield <neal@pep.foundation>
182 sequoia-wot 0.5.0 sequoia-wot(1)