-The Monkeysphere project's goal is to extend the web of trust model
-and other features of OpenPGP to other areas of the Internet to help
-us securely identify each other while we work online.
+[[!meta title="The Monkeysphere Project"]]
+[[!meta license="Unless otherwise noted, all content on this web site is licensed under the GPL version 3 or later"]]
+[[!meta copyright="All content on this web site is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]]
-Specifically, the Monkeysphere is a framework to leverage the OpenPGP
-web of trust for OpenSSH authentication. In other words, it allows
-you to use your OpenPGP keys when using secure shell to both identify
-yourself and the servers you administer or connect to. OpenPGP keys
-are tracked via GnuPG, and managed in the known\_hosts and
-authorized\_keys files used by OpenSSH for connection authentication.
+# The Monkeysphere Project #
-[[bugs]] | [[download]] | [[news]] | [[documentation|doc]]
+The Monkeysphere project's goal is to extend OpenPGP's web of trust to
+new areas of the Internet to help us securely identify each other
+while we work online.
-## Conceptual overview ##
+Specifically, monkeysphere currently offers a framework to leverage
+the OpenPGP web of trust for OpenSSH authentication.
-Everyone who has used secure shell is familiar with the prompt given
-the first time you login, asking if you want to trust the server's
-fingerprint. In addition, many of us take advantage of OpenSSH's
-ability to use RSA or DSA keys for authenticating to a server, rather
-than relying on a password exchange.
+In other words, it allows you to use secure shell as you normally do,
+but to identify yourself and the servers you administer or connect to
+with your OpenPGP keys. OpenPGP keys are tracked via GnuPG, and
+monkeysphere manages the `known_hosts` and `authorized_keys` files
+used by OpenSSH for authentication, checking them for cryptographic
+validity.
+
+## Overview ##
-[OpenSSH](http://openssh.com/) already provides a functional way for
-managing the RSA and DSA keys required for these
-interactions. However, it lacks any type of [Public Key Infrastructure
-(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure).
+Everyone who has used secure shell is familiar with the prompt given
+the first time you log in to a new server, asking if you want to trust
+the server's key by verifying the key fingerprint. Unfortunately,
+unless you have access to the server's key fingerprint through a
+secure out-of-band channel, there is no way to verify that the
+fingerprint you are presented with is in fact that of the server
+you're really trying to connect to.
+
+Many users also take advantage of OpenSSH's ability to use RSA or DSA
+keys for authenticating to a server (known as
+"`PubkeyAuthentication`"), rather than relying on a password exchange.
+But again, the public part of the key needs to be transmitted to the
+server through a secure out-of-band channel (usually via a separate
+password-based SSH connection or a (hopefully signed) e-mail to the
+system administrator) in order for this type of authentication to
+work.
+
+[OpenSSH](http://openssh.com/) currently provides a functional way to
+manage the RSA and DSA keys required for these interactions through
+the `known_hosts` and `authorized_keys` files. However, it lacks any
+type of [Public Key Infrastructure
+(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that
+can verify that the keys being used really are the one required or
+expected.
The basic idea of the Monkeysphere is to create a framework that uses
[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and
public keyserver communication to manage the keys that OpenSSH uses
-for connection authentication.
+for connection authentication.
+
+The Monkeysphere therefore provides an effective PKI for OpenSSH,
+including the possibility for key transitions, transitive
+identifications, revocations, and expirations. It also actively
+invites broader participation in the
+[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of
+trust](http://en.wikipedia.org/wiki/Web_of_trust).
Under the Monkeysphere, both parties to an OpenSSH connection (client
and server) explicitly designate who they trust to certify the
identity of the other party. These trust designations are explicitly
indicated with traditional GPG keyring trust models. Monkeysphere
-then manages the keys in the known\_hosts and authorized\_keys files
-directly, in such a way that is completely transparent to SSH. No
+then manages the keys in the `known_hosts` and `authorized_keys` files
+directly, in such a way that is completely transparent to `ssh`. No
modification is made to the SSH protocol on the wire (it continues to
use raw RSA public keys), and no modification is needed to the OpenSSH
software.
-To emphasize: *no SSH modification is required to use the
-Monkeysphere*.
-
-This offers users of OpenSSH an effective PKI, including the
-possibility for key transitions, transitive identifications,
-revocations, and expirations. It also actively invites broader
-participation in the [OpenPGP](http://en.wikipedia.org/wiki/Openpgp)
-[web of trust](http://en.wikipedia.org/wiki/Web_of_trust).
-
-## Philosophy ##
-
-Humans (and
-[monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html))
-have innate capacity to keep track of the identity of a finite number
-of people. After our social sphere exceeds several dozen or several
-hundred (depending on the individual), our ability to remember and
-distinguish people begins to break down. In other words, at a certain
-point, we can't know for sure that the person we ran into in the
-produce aisle really is the same person who we met at the party last
-week.
-
-For most of us, this limitation has not posed much of a problem in our
-daily, off-line lives. With the Internet, however, we have an ability
-to interact with vastly larger numbers of people than we had
-before. In addition, on the Internet we lose many of our tricks for
-remembering and identifying people (physical characteristics, sound of
-the voice, etc.).
-
-Fortunately, with online communications we have easy access to tools
-that can help us navigate these problems.
-[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic
-protocol commonly used for sending signed and encrypted email
-messages) is one such tool. In its simplest form, it allows us to
-sign our communication in such a way that the recipient can verify the
-sender.
-
-OpenPGP goes beyond this simple use to implement a feature known as
-the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web
-of trust allows people who have never met in person to communicate
-with a reasonable degree of certainty that they are who they say they
-are. It works like this: Person A trusts Person B. Person B verifies
-Person C's identity. Then, Person A can verify Person C's identity.
-
-The Monkeyshpere's broader goals are to extend the use of OpenPGP from
-email communications to other activities, such as:
-
- * conclusively identifying the remote server in a remote login session
- * granting access to servers to people we've never directly met
-
-## Links ##
-
-* [OpenSSH](http://openssh.com/)
-* [GnuPG](http://www.gnupg.org/)
-* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880)
-* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
+To emphasize: ***no modifications to SSH are required to use the
+Monkeysphere***. OpenSSH can be used as is; completely unpatched and
+"out of the box".
+
+## License ##
+All Monkeysphere software is copyright, 2007-2010, by [the
+authors](community), and released under [GPL, version 3 or
+later](http://www.gnu.org/licenses/gpl-3.0.html).
----
projects / monkeysphere.git / blobdiff