X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman7%2Fmonkeysphere.7;h=666b83170eb4058984014d476909b8416c50b668;hb=c39d11682121a43e690465d194a5bd9fa2275f42;hp=578d96cef5f4408692478b569de7be6ae5cfb685;hpb=e1dcdd693b854afaddb58c2049585ac9247f69a6;p=monkeysphere.git diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index 578d96c..666b831 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -1,30 +1,57 @@ -.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks" +.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks" .SH NAME -monkeysphere \- ssh authentication framework using OpenPGP Web of +monkeysphere - ssh authentication framework using OpenPGP Web of Trust .SH DESCRIPTION -\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust -for ssh authentication. OpenPGP keys are tracked via GnuPG, and added -to the authorized_keys and known_hosts files used by ssh for -connection authentication. +\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust +for OpenSSH and TLS key-based authentication. OpenPGP keys are +tracked via GnuPG, and added to the authorized_keys and known_hosts +files used by OpenSSH for connection authentication. Monkeysphere can +also be used by a validation agent to validate TLS connections +(e.g. https). .SH IDENTITY CERTIFIERS -FIXME: describe identity certifier concept +Each host that uses the \fBMonkeysphere\fP to authenticate its remote +users needs some way to determine that those users are who they claim +to be. SSH permits key-based authentication, but we want instead to +bind authenticators to human-comprehensible user identities. This +switch from raw keys to User IDs makes it possible for administrators +to see intuitively who has access to an account, and it also enables +end users to transition keys (and revoke compromised ones) +automatically across all \fBMonkeysphere\fP-enabled hosts. The User +IDs and certifications that the \fBMonkeysphere\fP relies on are found +in the OpenPGP Web of Trust. + +However, in order to establish this binding, each host must know whose +cerifications to trust. Someone who a host trusts to certify User +Identities is called an Identity Certifier. A host must have at least +one Identity Certifier in order to bind User IDs to keys. Commonly, +every ID Certifier would be trusted by the host to fully identify any +User ID, but more nuanced approaches are possible as well. For +example, a given host could specify a dozen ID certifiers, but assign +them all "marginal" trust. Then any given User ID would need to be +certified in the OpenPGP Web of Trust by at least three of those +certifiers. + +It is also possible to limit the scope of trust for a given ID +Certifier to a particular domain. That is, a host can be configured +to fully (or marginally) trust a particular ID Certifier only when +they certify identities within, say, example.org (based on the e-mail +address in the User ID). .SH KEY ACCEPTABILITY -During known_host and authorized_keys updates, the monkeysphere -commands work from a set of user IDs to determine acceptable keys for -ssh authentication. OpenPGP keys are considered acceptable if the -following criteria are met: +The monkeysphere commands work from a set of user IDs to determine +acceptable keys for ssh and TLS authentication. OpenPGP keys are +considered acceptable if the following criteria are met: .TP .B capability -The key must have the "authentication" ("a") usage flag set. +The key must have the `authentication' (`a') usage flag set. .TP .B validity The key itself must be valid, i.e. it must be well-formed, not @@ -35,23 +62,30 @@ The relevant user ID must be signed by a trusted identity certifier. .SH HOST IDENTIFICATION -The OpenPGP keys for hosts have associated user IDs that use the ssh -URI specification for the host, i.e. "ssh://host.full.domain[:port]". +The OpenPGP keys for hosts have associated `service names` (OpenPGP +user IDs) that are based on URI specifications for the service. Some +examples: +.TP +.B ssh: +ssh://host.example.com[:port] +.TP +.B https: +https://host.example.com[:port] .SH AUTHOR Written by: -Jameson Rollins , +Jameson Rollins , Daniel Kahn Gillmor .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere-host (8), -.BR monkeysphere-authentication (8), +.BR monkeysphere\-host (8), +.BR monkeysphere\-authentication (8), .BR openpgp2ssh (1), .BR pem2openpgp (1), .BR gpg (1), .BR http://tools.ietf.org/html/rfc4880, .BR ssh (1), -.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ +.BR http://tools.ietf.org/wg/secsh/draft\-ietf\-secsh\-scp\-sftp\-ssh\-uri/