X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Findex.mdwn;h=bb74fa1bba0acacce2fda230b90e8b1627d2c2ba;hb=072e05ac7a9872edc3a3e18e103bbba2706254bf;hp=ecb418385f89d85f934110ccb5b6f88f3e7fcc78;hpb=a09f044b3f181ae9b3b7eec3156de708220d825f;p=monkeysphere.git diff --git a/website/index.mdwn b/website/index.mdwn index ecb4183..bb74fa1 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,73 +1,82 @@ -The Monkeysphere project's goal is to extend the web of trust model and other -features of OpenPGP to other areas of the Internet to help us securely identify -each other while we work online. - -[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] - -## Conceptual overview ## - -Humans (and -[monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html)) -have innate capacity to keep track of the identity of a finite number -of people. After our social sphere exceeds several dozen or several -hundred (depending on the individual), our ability to remember and -distinguish people begins to break down. In other words, at a certain -point, we can't know for sure that the person we ran into in the -produce aisle really is the same person who we met at the party last -week. - -For most of us, this limitation has not posed much of a problem in our daily, -off-line lives. With the Internet, however, we have an ability to interact -with vastly larger numbers of people than we had before. In addition, on the -Internet we lose many of our tricks for remembering and identifying people -(physical characteristics, sound of the voice, etc.). - -Fortunately, with online communications we have easy access to tools -that can help us navigate these problems. -[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic -protocol commonly used for sending signed and encrypted email -messagess) is one such tool. In its simplest form, it allows us to -sign our communication in such a way that the recipient can verify the -sender. - -OpenPGP goes beyond this simple use to implement a feature known as the [web of -trust](http://en.wikipedia.org/wiki/Web_of_trust). The web of trust -allows people who have never met in person to communicate with a reasonable -degree of certainty that they are who they say they are. It works like this: -Person A trusts Person B. Person B verifies Person C's identity. Then, Person -A can verify Person C's identity. - -The Monkeyshpere's goal is to extend the use of OpenPGP from email -communications to other activities, such as: - - * conclusively identifying the remote server in a remote login session - * granting access to servers to people we've never directly met - -## Technical Details ## - -The project's first goal is to integrate with -[OpenSSH](http://openssh.com/). - -OpenSSH provides a functional way for management of explicit RSA and -DSA keys (without any type of [Public Key Infrastructure -(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The -basic idea of this project is to create a framework that uses GPG's -keyring manipulation capabilities and public keyservers to generate -files that OpenSSH will accept and handle as intended. This offers -users of OpenSSH an effective PKI, including the possibility for key -transitions, transitive identifications, revocations, and expirations. -It also actively invites broader participation in the OpenPGP Web of -Trust. +[[!meta title="The Monkeysphere Project"]] +[[!meta license="Unless otherwise noted, all content on this web site is licensed under the GPL version 3 or later"]] +[[!meta copyright="All content on this web site is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]] + +# The Monkeysphere Project # + +The Monkeysphere project's goal is to extend OpenPGP's web of trust to +new areas of the Internet to help us securely identify each other +while we work online. + +Specifically, monkeysphere currently offers a framework to leverage +the OpenPGP web of trust for OpenSSH authentication. + +In other words, it allows you to use secure shell as you normally do, +but to identify yourself and the servers you administer or connect to +with your OpenPGP keys. OpenPGP keys are tracked via GnuPG, and +monkeysphere manages the `known_hosts` and `authorized_keys` files +used by OpenSSH for authentication, checking them for cryptographic +validity. + +## Overview ## + +Everyone who has used secure shell is familiar with the prompt given +the first time you log in to a new server, asking if you want to trust +the server's key by verifying the key fingerprint. Unfortunately, +unless you have access to the server's key fingerprint through a +secure out-of-band channel, there is no way to verify that the +fingerprint you are presented with is in fact that of the server +you're really trying to connect to. + +Many users also take advantage of OpenSSH's ability to use RSA or DSA +keys for authenticating to a server (known as +"`PubkeyAuthentication`"), rather than relying on a password exchange. +But again, the public part of the key needs to be transmitted to the +server through a secure out-of-band channel (usually via a separate +password-based SSH connection or a (hopefully signed) e-mail to the +system administrator) in order for this type of authentication to +work. + +[OpenSSH](http://openssh.com/) currently provides a functional way to +manage the RSA and DSA keys required for these interactions through +the `known_hosts` and `authorized_keys` files. However, it lacks any +type of [Public Key Infrastructure +(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that +can verify that the keys being used really are the one required or +expected. + +The basic idea of the Monkeysphere is to create a framework that uses +[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and +public keyserver communication to manage the keys that OpenSSH uses +for connection authentication. + +The Monkeysphere therefore provides an effective PKI for OpenSSH, +including the possibility for key transitions, transitive +identifications, revocations, and expirations. It also actively +invites broader participation in the +[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of +trust](http://en.wikipedia.org/wiki/Web_of_trust). Under the Monkeysphere, both parties to an OpenSSH connection (client -and server) have a responsibility to explicitly designate who they -trust to certify the identity of the other party. This trust -designation is explicitly indicated with traditional GPG keyring trust -model. No modification is made to the SSH protocol on the wire (it -continues to use raw RSA public keys), and it should work with -unpatched OpenSSH software. +and server) explicitly designate who they trust to certify the +identity of the other party. These trust designations are explicitly +indicated with traditional GPG keyring trust models. Monkeysphere +then manages the keys in the `known_hosts` and `authorized_keys` files +directly, in such a way that is completely transparent to `ssh`. No +modification is made to the SSH protocol on the wire (it continues to +use raw RSA public keys), and no modification is needed to the OpenSSH +software. + +To emphasize: ***no modifications to SSH are required to use the +Monkeysphere***. OpenSSH can be used as is; completely unpatched and +"out of the box". + +## License ## + +All Monkeysphere software is copyright, 2007-2010, by [the +authors](community), and released under [GPL, version 3 or +later](http://www.gnu.org/licenses/gpl-3.0.html). ---- This wiki is powered by [ikiwiki](http://ikiwiki.info). -