diff options
Diffstat (limited to 'doc/conferences/seminar')
| -rw-r--r-- | doc/conferences/seminar/abstract | 17 | ||||
| -rw-r--r-- | doc/conferences/seminar/outline | 43 |
2 files changed, 0 insertions, 60 deletions
diff --git a/doc/conferences/seminar/abstract b/doc/conferences/seminar/abstract deleted file mode 100644 index 83fddfc..0000000 --- a/doc/conferences/seminar/abstract +++ /dev/null @@ -1,17 +0,0 @@ -Monkeysphere provides a robust, decentralized, out-of-band Public Key -Infrastructure (PKI) based on OpenPGP's Web of Trust. It is intended -to support any protocol which needs public-key authentication or -binding between public keys and real-world entities. Current -implementations include mutual authentication (both server and client) -for SSH and authentication of servers for HTTPS. The technique is -resistant to X.509's inherent single-issuer policy bias, allows use of -a single key for a host offering multiple services, and handles -initial contact, re-keying, and revocation better than OpenSSH's -traditional key continuity management (KCM) scheme. It also requires -no changes to on-the-wire protocols, and is transparently -interoperable with existing tools, so the migration path to the new -PKI is smooth (and encouraged). Discussion will include the merits -and drawbacks of the Monkeysphere, as well as its relationship to -in-band measures (such as the Server Name Indication (SNI) TLS -extension and the subjectAltName (sAN) extended attribute for X.509v3 -certificates) which provide some pieces of similar functionality. diff --git a/doc/conferences/seminar/outline b/doc/conferences/seminar/outline deleted file mode 100644 index 1531353..0000000 --- a/doc/conferences/seminar/outline +++ /dev/null @@ -1,43 +0,0 @@ -outline for 1 hr seminar talk to CS/security academics - - - key-based authentication is here to stay. (e.g. https, ssh). - - host vs. user - - - raises key management/distribution issues - - - what PKIs are available? X.509, OpenPGP, SPKI - - - social vulnerabilities - single-signer vs. multi-signer - - - protocol vulnerabilities - single cert vs. multi-cert (server - vs. client again) - - - utility for group-internal work, phased approach to public - - - -Stream-based communications over the public network have an -authentication problem. Most data streams are not authenticated in -either direction, and most of those that are authenticated in at least -one direction use authentication regimes which suffer from a range of -known structural problems. - -Public-key-based authentication offers security advantages over -shared-secret approaches, but it introduces additional questions of -key distribution, binding, and revocation. Two common solutions to -these problems on today's network are X.509 certificates (used by TLS -connections like HTTPS) and so-called "key continuity management" -(KCM) (used by popular SSH implementations and the "security -exceptions" interface for some web browsers). Both of these schemes -present security concerns of their own: KCM has trouble with initial -contact, key revocation, and re-keying; and X.509's single-issuer -certificate format has a systemic bias that selects for unaccountable -third-party authorities. New work ("the Monkeysphere") extends the -OpenPGP Web of Trust into authenticating stream-based communications -(instead of its traditional message-based environment of e-mails and -files) by means of a protocol-independent overlay. As a simple, -alternative PKI, the Monkeysphere resolves these failings, and also -provides features currently only available as protocol extensions -(such as SNI). - - |