-Monkeysphere is a framework to leverage the OpenPGP web of trust for
-OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added
-to the authorized\_keys and known\_hosts files used by OpenSSH for
-connection authentication.
+The Monkeysphere project's goal is to extend the web of trust model
+and other features of OpenPGP to other areas of the Internet to help
+us securely identify each other while we work online.
-[[bugs]] | [[download]] | [[news]] | [[documentation|doc]]
+Specifically, monkeysphere is a framework to leverage the OpenPGP
+web of trust for OpenSSH authentication. In other words, it allows
+you to use your OpenPGP keys when using secure shell to both identify
+yourself and the servers you administer or connect to. OpenPGP keys
+are tracked via GnuPG, and managed in the `known_hosts` and
+`authorized_keys` files used by OpenSSH for connection authentication.
+
+[why?](/why) | [[news]] | [[download]] | [[documentation|doc]] | [[community]] | [[bugs]]
## Conceptual overview ##
-[OpenSSH](http://openssh.com/) provides a functional way for
-management of explicit RSA and DSA keys (without any type of [Public
-Key Infrastructure
-(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The
-basic idea of this project is to create a framework that uses
+Everyone who has used secure shell is familiar with the prompt given
+the first time you log in to a new server, asking if you want to trust
+the server's key by verifying the key fingerprint. Unfortunately,
+unless you have access to the server's key fingerprint through a
+secure out-of-band channel, there is no way to verify that the
+fingerprint you are presented with is in fact that of the server your
+really trying to connect to.
+
+Many users also take advantage of OpenSSH's ability to use RSA or DSA
+keys for authenticating to a server (known as
+"`PubkeyAuthentication`"), rather than relying on a password exchange.
+But again, the public part of the key needs to be transmitted to the
+server through a secure out-of-band channel (usually via a separate
+password-based SSH connection or a (hopefully signed) e-mail to the
+system administrator) in order for this type of authentication to
+work.
+
+[OpenSSH](http://openssh.com/) currently provides a functional way to
+manage the RSA and DSA keys required for these interactions through
+the `known_hosts` and `authorized_keys` files. However, it lacks any
+type of [Public Key Infrastructure
+(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that
+can verify that the keys being used really are the one required or
+expected.
+
+The basic idea of the Monkeysphere is to create a framework that uses
[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and
-public keyservers to generate files that OpenSSH will accept and
-handle as intended. This offers users of OpenSSH an effective PKI,
+public keyserver communication to manage the keys that OpenSSH uses
+for connection authentication.
+
+The Monkeysphere therefore provides an effective PKI for OpenSSH,
including the possibility for key transitions, transitive
identifications, revocations, and expirations. It also actively
invites broader participation in the
[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of
trust](http://en.wikipedia.org/wiki/Web_of_trust).
+## Technical details ##
+
Under the Monkeysphere, both parties to an OpenSSH connection (client
-and server) have a responsibility to explicitly designate who they
-trust to certify the identity of the other party. This trust
-designation is explicitly indicated with traditional GPG keyring trust
-model. No modification is made to the SSH protocol on the wire (it
-continues to use raw RSA public keys), and it should work with
-unpatched OpenSSH software.
-
-Monkeysphere does not modify ssh in any way, and ssh can be used "out
-of the box". Monkeysphere is a set of tools that manages keys in the
-known\_hosts and authorized\_keys files that ssh uses for connection
-authentication.
+and server) explicitly designate who they trust to certify the
+identity of the other party. These trust designations are explicitly
+indicated with traditional GPG keyring trust models. Monkeysphere
+then manages the keys in the `known_hosts` and `authorized_keys`
+files directly, in such a way that is completely transparent to SSH.
+No modification is made to the SSH protocol on the wire (it continues
+to use raw RSA public keys), and no modification is needed to the
+OpenSSH software.
+
+To emphasize: *no modifications to SSH are required to use the
+Monkeysphere*. OpenSSH can be used as is; completely unpatched and
+"out of the box".
## Philosophy ##
Humans (and
[monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html))
-have innate capacity to keep track of the identity of a finite number
-of people. After our social sphere exceeds several dozen or several
-hundred (depending on the individual), our ability to remember and
-distinguish people begins to break down. In other words, at a certain
-point, we can't know for sure that the person we ran into in the
-produce aisle really is the same person who we met at the party last
-week.
+have the innate capacity to keep track of the identities of only a
+finite number of people. After our social sphere exceeds several dozen
+or several hundred (depending on the individual), our ability to
+remember and distinguish people begins to break down. In other words,
+at a certain point, we can't know for sure that the person we ran into
+in the produce aisle really is the same person who we met at the party
+last week.
For most of us, this limitation has not posed much of a problem in our
daily, off-line lives. With the Internet, however, we have an ability
that can help us navigate these problems.
[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic
protocol commonly used for sending signed and encrypted email
-messagess) is one such tool. In its simplest form, it allows us to
+messages) is one such tool. In its simplest form, it allows us to
sign our communication in such a way that the recipient can verify the
sender.
of trust allows people who have never met in person to communicate
with a reasonable degree of certainty that they are who they say they
are. It works like this: Person A trusts Person B. Person B verifies
-Person C's identity. Then, Person A can verify Person C's identity.
+Person C's identity. Then, Person A can verify Person C's identity
+because of their trust of Person B.
The Monkeyshpere's broader goals are to extend the use of OpenPGP from
email communications to other activities, such as:
* [OpenSSH](http://openssh.com/)
* [GnuPG](http://www.gnupg.org/)
+* [Secure Shell Authentication Protocol RFC 4252](http://tools.ietf.org/html/rfc4252)
* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880)
-* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
-
----
This wiki is powered by [ikiwiki](http://ikiwiki.info).
-
projects / monkeysphere.git / blobdiff