[go: up one dir, main page]

new sop subcommand `sop validate-cert`

I'm proposing a new subcommand that has to do with certificate management.

Something like the following:

sop validate-cert [--authority=CERTS ...] --user-id=USERID < CERTS

It would return success if the OpenPGP certificate supplied on standard input contains the specified USERID, which is certified by at least one of the specified authority certs.

Otherwise, it fails, and sends some sort of useful diagnostic error message to stdout.

This is not the "full" OpenPGP trust model, it's more of a limited-scope equivalent to sop verify.

Some weird corner cases and possible use cases we probably need to think about:

  • what if more than one certificate is in the stream on stdin?
  • do we want some way to verify the e-mail address part of the User ID on its own? (i'm scared of introducing this kind of structured parsing of what is literally just a UTF-8 string, given the complicated history of OpenPGP user IDs.