summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>2010-02-08 14:55:29 -0500
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>2010-02-08 14:55:29 -0500
commit838f52739cc05bfaca19e49bc64c17b435022f1c (patch)
tree8efcda1cc00c198e4c9e48b15af84b6b766ff5d6 /doc
parent1a64ed28ce14cdb98ff5ff15430ac03da0c3dc78 (diff)
initial seminar details -- abstract and feeble outline
Diffstat (limited to 'doc')
-rw-r--r--doc/conferences/seminar/abstract17
-rw-r--r--doc/conferences/seminar/outline43
2 files changed, 60 insertions, 0 deletions
diff --git a/doc/conferences/seminar/abstract b/doc/conferences/seminar/abstract
new file mode 100644
index 0000000..83fddfc
--- /dev/null
+++ b/doc/conferences/seminar/abstract
@@ -0,0 +1,17 @@
+Monkeysphere provides a robust, decentralized, out-of-band Public Key
+Infrastructure (PKI) based on OpenPGP's Web of Trust. It is intended
+to support any protocol which needs public-key authentication or
+binding between public keys and real-world entities. Current
+implementations include mutual authentication (both server and client)
+for SSH and authentication of servers for HTTPS. The technique is
+resistant to X.509's inherent single-issuer policy bias, allows use of
+a single key for a host offering multiple services, and handles
+initial contact, re-keying, and revocation better than OpenSSH's
+traditional key continuity management (KCM) scheme. It also requires
+no changes to on-the-wire protocols, and is transparently
+interoperable with existing tools, so the migration path to the new
+PKI is smooth (and encouraged). Discussion will include the merits
+and drawbacks of the Monkeysphere, as well as its relationship to
+in-band measures (such as the Server Name Indication (SNI) TLS
+extension and the subjectAltName (sAN) extended attribute for X.509v3
+certificates) which provide some pieces of similar functionality.
diff --git a/doc/conferences/seminar/outline b/doc/conferences/seminar/outline
new file mode 100644
index 0000000..1531353
--- /dev/null
+++ b/doc/conferences/seminar/outline
@@ -0,0 +1,43 @@
+outline for 1 hr seminar talk to CS/security academics
+
+ - key-based authentication is here to stay. (e.g. https, ssh).
+ - host vs. user
+
+ - raises key management/distribution issues
+
+ - what PKIs are available? X.509, OpenPGP, SPKI
+
+ - social vulnerabilities - single-signer vs. multi-signer
+
+ - protocol vulnerabilities - single cert vs. multi-cert (server
+ vs. client again)
+
+ - utility for group-internal work, phased approach to public
+
+
+
+Stream-based communications over the public network have an
+authentication problem. Most data streams are not authenticated in
+either direction, and most of those that are authenticated in at least
+one direction use authentication regimes which suffer from a range of
+known structural problems.
+
+Public-key-based authentication offers security advantages over
+shared-secret approaches, but it introduces additional questions of
+key distribution, binding, and revocation. Two common solutions to
+these problems on today's network are X.509 certificates (used by TLS
+connections like HTTPS) and so-called "key continuity management"
+(KCM) (used by popular SSH implementations and the "security
+exceptions" interface for some web browsers). Both of these schemes
+present security concerns of their own: KCM has trouble with initial
+contact, key revocation, and re-keying; and X.509's single-issuer
+certificate format has a systemic bias that selects for unaccountable
+third-party authorities. New work ("the Monkeysphere") extends the
+OpenPGP Web of Trust into authenticating stream-based communications
+(instead of its traditional message-based environment of e-mails and
+files) by means of a protocol-independent overlay. As a simple,
+alternative PKI, the Monkeysphere resolves these failings, and also
+provides features currently only available as protocol extensions
+(such as SNI).
+
+