X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman7%2Fmonkeysphere.7;h=d54bd5ab9f568f51439786a1eb33931f9d3eb7cf;hb=207272adad58f4ee86f961367e56fd478c754b39;hp=8d7c43a4514d50defdc1942346ac8ec12df32bbc;hpb=55ea6c63bed596b086bdb3d06e64af5f97dbb55a;p=monkeysphere.git diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index 8d7c43a..d54bd5a 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -7,14 +7,40 @@ Trust .SH DESCRIPTION -\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust +\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust for ssh authentication. OpenPGP keys are tracked via GnuPG, and added to the authorized_keys and known_hosts files used by ssh for connection authentication. .SH IDENTITY CERTIFIERS -FIXME: describe identity certifier concept +Each host that uses the \fBMonkeysphere\fP to authenticate its remote +users needs some way to determine that those users are who they claim +to be. SSH permits key-based authentication, but we want instead to +bind authenticators to human-comprehensible user identities. This +switch from raw keys to User IDs makes it possible for administrators +to see intuitively who has access to an account, and it also enables +end users to transition keys (and revoke compromised ones) +automatically across all \fBMonkeysphere\fP-enabled hosts. The User +IDs and certifications that the \fBMonkeysphere\fP relies on are found +in the OpenPGP Web of Trust. + +However, in order to establish this binding, each host must know whose +cerifications to trust. Someone who a host trusts to certify User +Identities is called an Identity Certifier. A host must have at least +one Identity Certifier in order to bind User IDs to keys. Commonly, +every ID Certifier would be trusted by the host to fully identify any +User ID, but more nuanced approaches are possible as well. For +example, a given host could specify a dozen ID certifiers, but assign +them all "marginal" trust. Then any given User ID would need to be +certified in the OpenPGP Web of Trust by at least three of those +certifiers. + +It is also possible to limit the scope of trust for a given ID +Certifier to a particular domain. That is, a host can be configured +to fully (or marginally) trust a particular ID Certifier only when +they certify identities within, say, example.org (based on the e-mail +address in the User ID). .SH KEY ACCEPTABILITY @@ -40,15 +66,18 @@ URI specification for the host, i.e. "ssh://host.full.domain[:port]". .SH AUTHOR -Written by Jameson Rollins , Daniel Kahn -Gillmor +Written by: +Jameson Rollins , +Daniel Kahn Gillmor .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere-server (8), -.BR monkeysphere-ssh-proxycommand (1), +.BR monkeysphere-host (8), +.BR monkeysphere-authentication (8), +.BR openpgp2ssh (1), +.BR pem2openpgp (1), .BR gpg (1), -.BR ssh (1), .BR http://tools.ietf.org/html/rfc4880, +.BR ssh (1), .BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/