X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman7%2Fmonkeysphere.7;h=4d1deca4d7d2c0706cbf87759eb54a319f776379;hb=952b13be0cd27271e49fd8499bb56f43ca5c3827;hp=d221c87ba369dcafed6cb3f5bc6789dd44a58f31;hpb=5de2eeb71c3c8f694d990058194afdda7d7f364f;p=monkeysphere.git

diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7
index d221c87..4d1deca 100644
--- a/man/man7/monkeysphere.7
+++ b/man/man7/monkeysphere.7
@@ -1,30 +1,56 @@
-.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks"
+.TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks"
 
 .SH NAME
 
-monkeysphere \- ssh authentication framework using OpenPGP Web of
-Trust
+monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust
 
 .SH DESCRIPTION
 
-\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust
-for ssh authentication.  OpenPGP keys are tracked via GnuPG, and added
-to the authorized_keys and known_hosts files used by ssh for
-connection authentication.
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
+for OpenSSH and TLS key-based authentication.  OpenPGP keys are
+tracked via GnuPG, and added to the authorized_keys and known_hosts
+files used by OpenSSH for connection authentication.  Monkeysphere can
+also be used by a validation agent to validate TLS connections
+(e.g. https).
 
 .SH IDENTITY CERTIFIERS
 
-FIXME: describe identity certifier concept
+Each host that uses the \fBMonkeysphere\fP to authenticate its remote
+users needs some way to determine that those users are who they claim
+to be.  SSH permits key-based authentication, but we want instead to
+bind authenticators to human-comprehensible user identities.  This
+switch from raw keys to User IDs makes it possible for administrators
+to see intuitively who has access to an account, and it also enables
+end users to transition keys (and revoke compromised ones)
+automatically across all \fBMonkeysphere\fP-enabled hosts.  The User
+IDs and certifications that the \fBMonkeysphere\fP relies on are found
+in the OpenPGP Web of Trust.
+
+However, in order to establish this binding, each host must know whose
+cerifications to trust.  Someone who a host trusts to certify User
+Identities is called an Identity Certifier.  A host must have at least
+one Identity Certifier in order to bind User IDs to keys.  Commonly,
+every ID Certifier would be trusted by the host to fully identify any
+User ID, but more nuanced approaches are possible as well.  For
+example, a given host could specify a dozen ID certifiers, but assign
+them all "marginal" trust.  Then any given User ID would need to be
+certified in the OpenPGP Web of Trust by at least three of those
+certifiers. 
+
+It is also possible to limit the scope of trust for a given ID
+Certifier to a particular domain.  That is, a host can be configured
+to fully (or marginally) trust a particular ID Certifier only when
+they certify identities within, say, example.org (based on the e-mail
+address in the User ID).
 
 .SH KEY ACCEPTABILITY
 
-During known_host and authorized_keys updates, the monkeysphere
-commands work from a set of user IDs to determine acceptable keys for
-ssh authentication.  OpenPGP keys are considered acceptable if the
-following criteria are met:
+The monkeysphere commands work from a set of user IDs to determine
+acceptable keys for ssh and TLS authentication.  OpenPGP keys are
+considered acceptable if the following criteria are met:
 .TP
 .B capability
-The key must have the "authentication" ("a") usage flag set.
+The key must have the `authentication' (`a') usage flag set.
 .TP
 .B validity
 The key itself must be valid, i.e. it must be well-formed, not
@@ -35,23 +61,30 @@ The relevant user ID must be signed by a trusted identity certifier.
 
 .SH HOST IDENTIFICATION
 
-The OpenPGP keys for hosts have associated user IDs that use the ssh
-URI specification for the host, i.e. "ssh://host.full.domain[:port]".
+The OpenPGP keys for hosts have associated `service names` (OpenPGP
+user IDs) that are based on URI specifications for the service.  Some
+examples:
+.TP
+.B ssh:
+ssh://host.example.com[:port]
+.TP
+.B https:
+https://host.example.com[:port]
 
 .SH AUTHOR
 
 Written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 
 .SH SEE ALSO
 
 .BR monkeysphere (1),
-.BR monkeysphere-host (8),
-.BR monkeysphere-authentication (8),
+.BR monkeysphere\-host (8),
+.BR monkeysphere\-authentication (8),
 .BR openpgp2ssh (1),
 .BR pem2openpgp (1),
 .BR gpg (1),
-.BR ssh (1),
 .BR http://tools.ietf.org/html/rfc4880,
-.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/
+.BR ssh (1),
+.BR http://tools.ietf.org/wg/secsh/draft\-ietf\-secsh\-scp\-sftp\-ssh\-uri/