X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Findex.mdwn;h=3bc1fe1ea5352b27790817ad3a73d79c411f5309;hb=7c76ffc000cc3b3ed66cfedca46ec46213593492;hp=ecb418385f89d85f934110ccb5b6f88f3e7fcc78;hpb=a09f044b3f181ae9b3b7eec3156de708220d825f;p=monkeysphere.git diff --git a/website/index.mdwn b/website/index.mdwn index ecb4183..3bc1fe1 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,11 +1,55 @@ -The Monkeysphere project's goal is to extend the web of trust model and other -features of OpenPGP to other areas of the Internet to help us securely identify -each other while we work online. +The Monkeysphere project's goal is to extend the web of trust model +and other features of OpenPGP to other areas of the Internet to help +us securely identify each other while we work online. + +Specifically, the Monkeysphere is a framework to leverage the OpenPGP +web of trust for OpenSSH authentication. In other words, it allows +you to use your OpenPGP keys when using secure shell to both identify +yourself and the servers you administer or connect to. OpenPGP keys +are tracked via GnuPG, and managed in the known\_hosts and +authorized\_keys files used by OpenSSH for connection authentication. [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] ## Conceptual overview ## +Everyone who has used secure shell is familiar with the prompt given +the first time you login, asking if you want to trust the server's +fingerprint. In addition, many of us take advantage of OpenSSH's +ability to use RSA or DSA keys for authenticating to a server, rather +than relying on a password exchange. + +[OpenSSH](http://openssh.com/) already provides a functional way for +managing the RSA and DSA keys required for these +interactions. However, it lacks any type of [Public Key Infrastructure +(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure). + +The basic idea of the Monkeysphere is to create a framework that uses +[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and +public keyserver communication to manage the keys that OpenSSH uses +for connection authentication. + +Under the Monkeysphere, both parties to an OpenSSH connection (client +and server) explicitly designate who they trust to certify the +identity of the other party. These trust designations are explicitly +indicated with traditional GPG keyring trust models. Monkeysphere +then manages the keys in the known\_hosts and authorized\_keys files +directly, in such a way that is completely transparent to SSH. No +modification is made to the SSH protocol on the wire (it continues to +use raw RSA public keys), and no modification is needed to the OpenSSH +software. + +To emphasize: *no SSH modification is required to use the +Monkeysphere*. + +This offers users of OpenSSH an effective PKI, including the +possibility for key transitions, transitive identifications, +revocations, and expirations. It also actively invites broader +participation in the [OpenPGP](http://en.wikipedia.org/wiki/Openpgp) +[web of trust](http://en.wikipedia.org/wiki/Web_of_trust). + +## Philosophy ## + Humans (and [monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html)) have innate capacity to keep track of the identity of a finite number @@ -16,58 +60,42 @@ point, we can't know for sure that the person we ran into in the produce aisle really is the same person who we met at the party last week. -For most of us, this limitation has not posed much of a problem in our daily, -off-line lives. With the Internet, however, we have an ability to interact -with vastly larger numbers of people than we had before. In addition, on the -Internet we lose many of our tricks for remembering and identifying people -(physical characteristics, sound of the voice, etc.). +For most of us, this limitation has not posed much of a problem in our +daily, off-line lives. With the Internet, however, we have an ability +to interact with vastly larger numbers of people than we had +before. In addition, on the Internet we lose many of our tricks for +remembering and identifying people (physical characteristics, sound of +the voice, etc.). Fortunately, with online communications we have easy access to tools that can help us navigate these problems. [OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic protocol commonly used for sending signed and encrypted email -messagess) is one such tool. In its simplest form, it allows us to +messages) is one such tool. In its simplest form, it allows us to sign our communication in such a way that the recipient can verify the sender. -OpenPGP goes beyond this simple use to implement a feature known as the [web of -trust](http://en.wikipedia.org/wiki/Web_of_trust). The web of trust -allows people who have never met in person to communicate with a reasonable -degree of certainty that they are who they say they are. It works like this: -Person A trusts Person B. Person B verifies Person C's identity. Then, Person -A can verify Person C's identity. +OpenPGP goes beyond this simple use to implement a feature known as +the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web +of trust allows people who have never met in person to communicate +with a reasonable degree of certainty that they are who they say they +are. It works like this: Person A trusts Person B. Person B verifies +Person C's identity. Then, Person A can verify Person C's identity. -The Monkeyshpere's goal is to extend the use of OpenPGP from email -communications to other activities, such as: +The Monkeyshpere's broader goals are to extend the use of OpenPGP from +email communications to other activities, such as: * conclusively identifying the remote server in a remote login session * granting access to servers to people we've never directly met -## Technical Details ## +## Links ## -The project's first goal is to integrate with -[OpenSSH](http://openssh.com/). +* [OpenSSH](http://openssh.com/) +* [GnuPG](http://www.gnupg.org/) +* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880) +* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/) -OpenSSH provides a functional way for management of explicit RSA and -DSA keys (without any type of [Public Key Infrastructure -(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The -basic idea of this project is to create a framework that uses GPG's -keyring manipulation capabilities and public keyservers to generate -files that OpenSSH will accept and handle as intended. This offers -users of OpenSSH an effective PKI, including the possibility for key -transitions, transitive identifications, revocations, and expirations. -It also actively invites broader participation in the OpenPGP Web of -Trust. - -Under the Monkeysphere, both parties to an OpenSSH connection (client -and server) have a responsibility to explicitly designate who they -trust to certify the identity of the other party. This trust -designation is explicitly indicated with traditional GPG keyring trust -model. No modification is made to the SSH protocol on the wire (it -continues to use raw RSA public keys), and it should work with -unpatched OpenSSH software. ---- This wiki is powered by [ikiwiki](http://ikiwiki.info). -