-The Monkeysphere project's goal is to extend the web of trust model and other
-features of OpenPGP to other areas of the Internet to help us securely identify
-each other while we work online.
+The Monkeysphere project's goal is to extend the web of trust model
+and other features of OpenPGP to other areas of the Internet to help
+us securely identify each other while we work online.
-[[bugs]] | [[download]] | [[news]]
+Specifically, the Monkeysphere is a framework to leverage the OpenPGP
+web of trust for OpenSSH authentication. In other words, it allows
+you to use your OpenPGP keys when using secure shell to both identify
+yourself and the servers you administer or connect to. OpenPGP keys
+are tracked via GnuPG, and managed in the known\_hosts and
+authorized\_keys files used by OpenSSH for connection authentication.
+
+[[bugs]] | [[download]] | [[news]] | [[documentation|doc]]
## Conceptual overview ##
+Everyone who has used secure shell is familiar with the prompt given
+the first time you login, asking if you want to trust the server's
+fingerprint. In addition, many of us take advantage of OpenSSH's
+ability to use RSA or DSA keys for authenticating to a server, rather
+than relying on a password exchange.
+
+[OpenSSH](http://openssh.com/) already provides a functional way for
+managing the RSA and DSA keys required for these
+interactions. However, it lacks any type of [Public Key Infrastructure
+(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure).
+
+The basic idea of the Monkeysphere is to create a framework that uses
+[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and
+public keyserver communication to manage the keys that OpenSSH uses
+for connection authentication.
+
+Under the Monkeysphere, both parties to an OpenSSH connection (client
+and server) explicitly designate who they trust to certify the
+identity of the other party. These trust designations are explicitly
+indicated with traditional GPG keyring trust models. Monkeysphere
+then manages the keys in the known\_hosts and authorized\_keys files
+directly, in such a way that is completely transparent to SSH. No
+modification is made to the SSH protocol on the wire (it continues to
+use raw RSA public keys), and no modification is needed to the OpenSSH
+software.
+
+To emphasize: *no SSH modification is required to use the
+Monkeysphere*.
+
+This offers users of OpenSSH an effective PKI, including the
+possibility for key transitions, transitive identifications,
+revocations, and expirations. It also actively invites broader
+participation in the [OpenPGP](http://en.wikipedia.org/wiki/Openpgp)
+[web of trust](http://en.wikipedia.org/wiki/Web_of_trust).
+
+## Philosophy ##
+
Humans (and
[monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html))
have innate capacity to keep track of the identity of a finite number
produce aisle really is the same person who we met at the party last
week.
-For most of us, this limitation has not posed much of a problem in our daily,
-off-line lives. With the Internet, however, we have an ability to interact
-with vastly larger numbers of people than we had before. In addition, on the
-Internet we lose many of our tricks for remembering and identifying people
-(physical characteristics, sound of the voice, etc.).
+For most of us, this limitation has not posed much of a problem in our
+daily, off-line lives. With the Internet, however, we have an ability
+to interact with vastly larger numbers of people than we had
+before. In addition, on the Internet we lose many of our tricks for
+remembering and identifying people (physical characteristics, sound of
+the voice, etc.).
Fortunately, with online communications we have easy access to tools
that can help us navigate these problems.
[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic
protocol commonly used for sending signed and encrypted email
-messagess) is one such tool. In its simplest form, it allows us to
+messages) is one such tool. In its simplest form, it allows us to
sign our communication in such a way that the recipient can verify the
sender.
-OpenPGP goes beyond this simple use to implement a feature known as the [web of
-trust](http://en.wikipedia.org/wiki/Web_of_trust). The web of trust
-allows people who have never met in person to communicate with a reasonable
-degree of certainty that they are who they say they are. It works like this:
-Person A trusts Person B. Person B verifies Person C's identity. Then, Person
-A can verify Person C's identity.
+OpenPGP goes beyond this simple use to implement a feature known as
+the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web
+of trust allows people who have never met in person to communicate
+with a reasonable degree of certainty that they are who they say they
+are. It works like this: Person A trusts Person B. Person B verifies
+Person C's identity. Then, Person A can verify Person C's identity.
-The Monkeyshpere's goal is to extend the use of OpenPGP from email
-communications to other activities, such as:
+The Monkeyshpere's broader goals are to extend the use of OpenPGP from
+email communications to other activities, such as:
* conclusively identifying the remote server in a remote login session
* granting access to servers to people we've never directly met
-## Technical Details ##
+## Links ##
-The project's first goal is to integrate with
-[http://openssh.com/](OpenSSH).
+* [OpenSSH](http://openssh.com/)
+* [GnuPG](http://www.gnupg.org/)
+* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880)
+* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
-OpenSSH provides a functional way for management of explicit RSA and
-DSA keys (without any type of [Public Key Infrastructure
-(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The
-basic idea of this project is to create a framework that uses GPG's
-keyring manipulation capabilities and public keyservers to generate
-files that OpenSSH will accept and handle as intended. This offers
-users of OpenSSH an effective PKI, including the possibility for key
-transitions, transitive identifications, revocations, and expirations.
-It also actively invites broader participation in the OpenPGP Web of
-Trust.
-
-Under the Monkeysphere, both parties to an OpenSSH connection (client
-and server) have a responsibility to explicitly designate who they
-trust to certify the identity of the other party. This trust
-designation is explicitly indicated with traditional GPG keyring trust
-model. No modification is made to the SSH protocol on the wire (it
-continues to use raw RSA public keys), and it should work with
-unpatched OpenSSH software.
----
This wiki is powered by [ikiwiki](http://ikiwiki.info).
-
projects / monkeysphere.git / blobdiff