X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Fwhy.mdwn;h=5c060a5d9b04fe2f20f545353ff2d4cb40f0e746;hb=71d180394c3357d2a99e9f1fc6a2fa7514552da9;hp=989c4eb1c4889609b89389b563044db8447c334e;hpb=c329ccb6fd64234ec64fed0f0a4262a5522e8f58;p=monkeysphere.git diff --git a/website/why.mdwn b/website/why.mdwn index 989c4eb..5c060a5 100644 --- a/website/why.mdwn +++ b/website/why.mdwn @@ -1,8 +1,8 @@ -[[!template id="nav"]] +[[meta title="Why should you be interested in the Monkeysphere?"]] -[[meta title="Why should you be interested in the MonkeySphere?"]] +# Why should you be interested in the Monkeysphere? # -# Why should you be interested in the MonkeySphere? # +[[!toc levels=2]] ## As an `ssh` user ## @@ -16,8 +16,8 @@ seeing messages like this? Do you actually tediously check the fingerprint against a cryptographically-signed message from the admin, or do you just cross your fingers and type "yes"? Do you wish there was a better way to -verify that the host your connecting to actually is the host you mean -to connect to? Shouldn't our tools be able to figure this out +verify that the host you are connecting to actually is the host you +mean to connect to? Shouldn't our tools be able to figure this out automatically? Do you use `ssh`'s public key authentication for convenience and/or @@ -31,7 +31,9 @@ Have you ever wished you could phase out an old key and start using a new one without having to comb through every single account you have ever connected to? -## As an system administrator ## +[Get started with the monkeysphere as a user!](/getting-started-user) + +## As a system administrator ## As a system administrator, have you ever tried to re-key an SSH server? How did you communicate the key change to your users? How @@ -45,6 +47,8 @@ Have you ever wanted to be able to add or revoke the ability of a user's key to authenticate across an entire infrastructure you manage, without touching each host by hand? +[Get started with the monkeysphere as an administrator!](/getting-started-admin) + ## What's the connection? ## All of these issues are related to a lack of a [Public Key @@ -64,7 +68,7 @@ fingerprints) except in relatively rare situations (e.g. when two people meet in person for the first time). The good news is that this is all possible, and available with free -tools: welcome to the MonkeySphere! +tools: welcome to the Monkeysphere! ## Examples ## @@ -81,14 +85,14 @@ Alice can set up the new `bob` account on `foo.example.org` without needing to give Bob a new passphrase to remember, and without needing to even know Bob's current SSH key. She simply tells `foo` that `Bob ` should have access to the `bob` account. The -MonkeySphere on `foo` then verifies Bob's identity through the OpenPGP +Monkeysphere on `foo` then verifies Bob's identity through the OpenPGP Web of Trust and automatically add's Bob's SSH key to the authorized_keys file for the `bob` account. Bob's first connection to his new `bob` account on `foo.example.org` -is seamless, because the MonkeySphere on Bob's computer automatically +is seamless, because the Monkeysphere on Bob's computer automatically verifies the host key for `foo.example.org` for Bob. Using the -MonkeySphere, Bob never has to "accept" an unintelligible host key or +Monkeysphere, Bob never has to "accept" an unintelligible host key or type a password. When Bob decides to change the key he uses for SSH authentication, he @@ -116,10 +120,10 @@ allows a very flexible trust model, ranging all over the map, at the choice of the user: * individual per-host certifications by each client (much like the - stock OpenSSH behavior), + stock OpenSSH behavior), or * strict centralized Certificate Authorities (much like proposed X.509 - models), and + models), or * a more human-centric model that recognizes individual differences in ranges of trust and acceptance. @@ -133,3 +137,46 @@ than the current infrastructure allows, and is more meaningful to actual humans using these tools than some message like "Certified by GloboTrust". +You may also be interested in [some thoughts about alternate PKIs for +SSH](/similar). + +## Philosophy ## + +Humans (and +[monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html)) +have the innate capacity to keep track of the identities of only a +finite number of people. After our social sphere exceeds several dozen +or several hundred (depending on the individual), our ability to +remember and distinguish people begins to break down. In other words, +at a certain point, we can't know for sure that the person we ran into +in the produce aisle really is the same person who we met at the party +last week. + +For most of us, this limitation has not posed much of a problem in our +daily, off-line lives. With the Internet, however, we have an ability +to interact with vastly larger numbers of people than we had +before. In addition, on the Internet we lose many of our tricks for +remembering and identifying people (physical characteristics, sound of +the voice, etc.). + +Fortunately, with online communications we have easy access to tools +that can help us navigate these problems. +[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic +protocol commonly used for sending signed and encrypted email +messages) is one such tool. In its simplest form, it allows us to +sign our communication in such a way that the recipient can verify the +sender. + +OpenPGP goes beyond this simple use to implement a feature known as +the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web +of trust allows people who have never met in person to communicate +with a reasonable degree of certainty that they are who they say they +are. It works like this: Person A trusts Person B. Person B verifies +Person C's identity. Then, Person A can verify Person C's identity +because of their trust of Person B. + +The Monkeyshpere's broader goals are to extend the use of OpenPGP from +email communications to other activities, such as: + + * conclusively identifying the remote server in a remote login session + * granting access to servers to people we've never directly met