-The Monkeysphere project's goal is to extend the web of trust model and other
-features of OpenPGP to other areas of the Internet to help us securely identify
-each other while we work online.
-
-[[bugs]] | [[download]] | [[news]]
-
-##Conceptual overview##
-
-Humans (and monkeys) have innate capacity to keep track of the identity of a
-finite number of people. After our social sphere exceeds several dozen or
-several hundred (depending on the individual), our ability to remember and
-distinguish people begins to break down. In other words, at a certain point, we
-can't know for sure that the person we ran into in the produce aisle really is
-the same person who we met at the party last week.
-
-For most of us, this limitation has not posed much of a problem in our daily,
-off-line lives. With the Internet, however, we have an ability to interact
-with vastly larger numbers of people than we had before. In addition, on the
-Internet we lose many of our tricks for remembering and identifying people
-(physical characteristics, sound of the voice, etc.).
-
-Fortunately, with online communications we have easy access to tools that can
-help us navigate these problems.
-[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a protocol commonly used for
-sending signed and encrypted email messagess) is one such tool. In its simplest
-form, it allows us to sign our communication in such a way that the recipient
-can verify the sender.
-
-OpenPGP goes beyond this simple use to implement a feature known as the [web of
-trust](http://en.wikipedia.org/wiki/Openpgp#Web_of_trust). The web of trust
-allows people who have never met in person to communicate with a reasonable
-degree of certainty that they are who they say they are. It works like this:
-Person A trusts Person B. Person B verifies Person C's identity. Then, Person
-A can verify Person C's identity.
-
-The Monkeyshpere's goal is to extend the use of OpenPGP from email
-communications to other activities, such as:
-
- * trusting the servers we login to
- * granting access to servers to people we've never met
-
-##Technical Details##
-
-The project's first goal is to integrate with
-[OpenSSH](http://en.wikipedia.org/wiki/Openssh).
-
-OpenSSH provides a functional way for management of explicit RSA keys (without
-certification of any type). The basic idea of this project is to create a
-framework that uses GPG's keyring manipulation capabilities and public
-keyservers to generate files that OpenSSH will accept and handle without
-complaint.
-
-Both entities in an OpenSSH connection (client and server) thus have the
-responsibility to explicitly designate who they trust to "introduce" others.
-They can explicitly indicate this trust relationship with traditional GPG
-keyring trust indicators. No modification is made to the SSH protocol on the
-wire, which continues to use raw RSA public keys.
+[[!meta title="The Monkeysphere Project"]]
+[[!meta license="Unless otherwise noted, all content on this web site is licensed under the GPL version 3 or later"]]
+[[!meta copyright="All content on this web site is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]]
+
+# The Monkeysphere Project #
+
+The Monkeysphere project's goal is to extend OpenPGP's web of trust to
+new areas of the Internet to help us securely identify each other
+while we work online.
+
+Specifically, monkeysphere currently offers a framework to leverage
+the OpenPGP web of trust for OpenSSH authentication.
+
+In other words, it allows you to use secure shell as you normally do,
+but to identify yourself and the servers you administer or connect to
+with your OpenPGP keys. OpenPGP keys are tracked via GnuPG, and
+monkeysphere manages the `known_hosts` and `authorized_keys` files
+used by OpenSSH for authentication, checking them for cryptographic
+validity.
+
+## Overview ##
+
+Everyone who has used secure shell is familiar with the prompt given
+the first time you log in to a new server, asking if you want to trust
+the server's key by verifying the key fingerprint. Unfortunately,
+unless you have access to the server's key fingerprint through a
+secure out-of-band channel, there is no way to verify that the
+fingerprint you are presented with is in fact that of the server
+you're really trying to connect to.
+
+Many users also take advantage of OpenSSH's ability to use RSA or DSA
+keys for authenticating to a server (known as
+"`PubkeyAuthentication`"), rather than relying on a password exchange.
+But again, the public part of the key needs to be transmitted to the
+server through a secure out-of-band channel (usually via a separate
+password-based SSH connection or a (hopefully signed) e-mail to the
+system administrator) in order for this type of authentication to
+work.
+
+[OpenSSH](http://openssh.com/) currently provides a functional way to
+manage the RSA and DSA keys required for these interactions through
+the `known_hosts` and `authorized_keys` files. However, it lacks any
+type of [Public Key Infrastructure
+(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that
+can verify that the keys being used really are the one required or
+expected.
+
+The basic idea of the Monkeysphere is to create a framework that uses
+[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and
+public keyserver communication to manage the keys that OpenSSH uses
+for connection authentication.
+
+The Monkeysphere therefore provides an effective PKI for OpenSSH,
+including the possibility for key transitions, transitive
+identifications, revocations, and expirations. It also actively
+invites broader participation in the
+[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of
+trust](http://en.wikipedia.org/wiki/Web_of_trust).
+
+Under the Monkeysphere, both parties to an OpenSSH connection (client
+and server) explicitly designate who they trust to certify the
+identity of the other party. These trust designations are explicitly
+indicated with traditional GPG keyring trust models. Monkeysphere
+then manages the keys in the `known_hosts` and `authorized_keys` files
+directly, in such a way that is completely transparent to `ssh`. No
+modification is made to the SSH protocol on the wire (it continues to
+use raw RSA public keys), and no modification is needed to the OpenSSH
+software.
+
+To emphasize: ***no modifications to SSH are required to use the
+Monkeysphere***. OpenSSH can be used as is; completely unpatched and
+"out of the box".
+
+## License ##
+
+All Monkeysphere software is copyright, 2007-2010, by [the
+authors](community), and released under [GPL, version 3 or
+later](http://www.gnu.org/licenses/gpl-3.0.html).
----
This wiki is powered by [ikiwiki](http://ikiwiki.info).
-
projects / monkeysphere.git / blobdiff