Provided by: sq-wot_0.11.0-1_amd64 
NAME
sequoia-wot - An implementation of OpenPGP's web of trust.
SYNOPSIS
sequoia-wot [--gpg] [-k|--keyring] [--gpg-keyring] [--network] [--keyserver] [-r|--trust-root]
[-f|--format] [--gpg-ownertrust] [--gossip] [--certification-network] [-a|--trust-amount] [--partial]
[--full] [--double] [--time] [--known-notation] [-h|--help] [-V|--version] <subcommands>
DESCRIPTION
An implementation of OpenPGP's web of trust.
OPTIONS
--gpg Uses gpg's keyring and gpg's trust roots.
When this option is set, `sq-wot` reads gpg's keyring and gpg's ownertrust. This is equivalent to
passing `--gpg-keyring` and `--gpg-ownertrust`.
-k, --keyring=FILE
Adds KEYRING to the list of keyrings
The keyrings are read at start up and used to build a web of trust network. Note: if a
certificate occurs multiple times, the first version is taken; they are not currently merged.
--gpg-keyring
Adds GnuPG's keyring to the list of keyrings.
This option causes `sq-wot` to read gpg's keyring, by parsing the output of `gpg --export
--export-options export-local-sigs`.
--network
Looks up missing certificates over the network.
This causes `sq-wot` to look up missing certificates on a key server. The default key server can
be overridden using the `--keyserver` option.
Certificates fetched from a key server are cached locally in the default cert-d. The default
cert-d is also checked prior to fetching a certificate from the key server.
--keyserver=KEYSERVER [default: hkps://keyserver.ubuntu.com]
Sets the keyserver to use to KEYSERVER.
This option only makes sense when used in conjunction with the `--network` option. Currently, it
is only possible to set a single keyserver.
-r, --trust-root=FINGERPRINT|KEYID
Treats the specified certificate as a trust root.
It is possible to have multiple trust roots. All trust roots are treated equivalently. This can
be combined with `--gpg-ownertrust`.
-f, --format=FORMAT [default: human-readable]
Render the output in a specific format
Choosing a different output format allows for further post processing of the data using external
tools.
Possible values:
• dot: output in graphviz's DOT format
• human-readable: output in human readable format
--gpg-ownertrust
Causes `sq-wot` to use gpg's trust roots as the trust roots.
`sq-wot` reads the output of `gpg --export-ownertrust`. It treats gpg's ultimately trusted
certificates as fully trust roots. Similar to gpg, it also treats certificates marked as fully
and marginally trusted as fully and marginally trusted roots, if a self-signed User ID can be
authenticated by an ultimately trusted root.
It is possible to set additional trust roots using the `--trust-root` option.
--gossip
Treats all certificates as unreliable trust roots.
This option is useful for figuring out what others think about a certificate (i.e., gossip or
hearsay). In other words, this finds arbitrary paths to a particular certificate.
Gossip is useful in helping to identify alternative ways to authenticate a certificate. For
instance, imagine Ed wants to authenticate Laura's certificate, but asking her directly is
inconvenient. Ed discovers that Micah has certified Laura's certificate, but Ed hasn't yet
authenticated Micah's certificate. If Ed is willing to rely on Micah as a trusted introducer, and
authenticating Micah's certificate is easier than authenticating Laura's certificate, then Ed has
learned about an easier way to authenticate Laura's certificate.
EXAMPLES:
# Get gossip about a certificate.{n} $ sq-wot --keyring keyring.pgp \\{n} --gossip identify
3217C509292FC67076ECD75C7614269BDDF73B36
--certification-network
Treats the network as a certification network.
Normally, `sq-wot` treats the web-of-trust network as an authentication network where a
certification only means that the binding is correct, not that the target should be treated as a
trusted introducer. In a certification network, the targets of certifications are treated as
trusted introducers with infinite depth, and any regular expressions are ignored. Note: The trust
amount remains unchanged. This is how most so-called pgp path-finding algorithms work.
-a, --trust-amount=TRUST_AMOUNT
The required amount of trust.
120 indicates full authentication; values less than 120 indicate partial authentication. When
`--certification-network` is passed, this defaults to 1200, i.e., sq-wot tries to find 10 paths.
--partial
Require partial authentication.
This is the same as passing `--trust-amount 40`.
--full Require full authentication.
This is the same as passing `--trust-amount 120`.
--double
Require double authentication.
This is the same as passing `--trust-amount 240`.
--time=TIME
Sets the reference time to TIME.
TIME is interpreted as an ISO 8601 timestamp. To set the reference time to July 21, 2013 at
midnight UTC, you can do:
$ sq-wot --time 20130721 CMD ...
To include a time, add a T, the time and optionally the timezone (the default timezone is UTC):
$ sq-wot --time 20130721T0550+0200 CMD ...
--known-notation=KNOWN_NOTATION
Adds NOTATION to the list of known notations
This is used when validating signatures. Signatures that have unknown notations with the critical
bit set are considered invalid.
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version
SUBCOMMANDS
sequoia-wot-authenticate(1)
Authenticate a binding
sequoia-wot-lookup(1)
Lookup the certificates associated with a User ID
sequoia-wot-identify(1)
Identify a certificate
sequoia-wot-list(1)
List all authenticated bindings (User ID and certificate pairs)
sequoia-wot-path(1)
Verify the specified path
sequoia-wot-help(1)
Print this message or the help of the given subcommand(s)
VERSION
v0.11.0
AUTHORS
Neal H. Walfield <neal@sequoia-pgp.org>
sequoia-wot 0.11.0 sequoia-wot(1)