sq pki link add should allow having a trusted introducer for a given email address or user ID
This shortcoming was uncovered by @malte_meiboom and @fschmidtke in their recent exploration of sq
.
Using sq pki link add
, we can designate a certificate as a CA. And, we can restrict it to user IDs with email addresses in a particular domain. However, we can't (easily) restrict it to a single user ID or email address. We should support this. Perhaps change --ca
to recognize prefixes, like --ca email:alice@example.org
.
Note: OpenPGP supports this, but GnuPG doesn't. This isn't a big deal in this case, because sq pki link
only creates local certificates. But, we should probably also add this option to sq pki certify
, which GnuPG may ingest.
Thoughts?