diff options
Diffstat (limited to 'doc/conferences')
| -rw-r--r-- | doc/conferences/lca2010/abstract | 65 | ||||
| -rw-r--r-- | doc/conferences/lca2010/bio | 23 | ||||
| -rw-r--r-- | doc/conferences/lca2010/experience | 26 | ||||
| -rw-r--r-- | doc/conferences/lca2010/outline | 62 | ||||
| -rw-r--r-- | doc/conferences/lca2010/techrequirements | 1 | ||||
| -rw-r--r-- | doc/conferences/lca2010/title | 1 | ||||
| -rw-r--r-- | doc/conferences/lca2010/videoabstract | 1 | ||||
| -rw-r--r-- | doc/conferences/seminar/abstract | 17 | ||||
| -rw-r--r-- | doc/conferences/seminar/outline | 43 |
9 files changed, 0 insertions, 239 deletions
diff --git a/doc/conferences/lca2010/abstract b/doc/conferences/lca2010/abstract deleted file mode 100644 index 2770675..0000000 --- a/doc/conferences/lca2010/abstract +++ /dev/null @@ -1,65 +0,0 @@ -The Monkeysphere uses the OpenPGP web of trust to provide a -distributed Public Key Infrastructure (PKI) for users and -administrators of ssh. This talk is about why the Monkeysphere is -useful, how it works, and how you can use it to ease your workload and -automatically fully authenticate people and servers. - -The Secure Shell protocol has offered public-key-based mutual -authentication since its inception, but popular implementations offer -no formalized public key infrastructure. This means there is no -straightforward, computable method to signal re-keying events, key -revocations, or even basic key-to-identity binding (e.g. "host -foo.example.org has key X"). As a result, dealing with host keys is -usually a manual process with the possibility of tedium, room for -error, difficulty of maintenance, or users and administrators simply -ignoring or skipping baseline cryptographic precautions. - -The OpenPGP specification offers a robust public key infrastructure -that has traditionally only been used for e-mail and for encrypted -storage. By its nature, the OpenPGP Web of Trust (WoT) is a -distributed system, with no intrinsic chokepoints or global -authorities. And the global key distribution network provides -commonly-held, public infrastructure for rapid distribution of key -changes, revocations, and identity binding. - -The Monkeysphere mixes the two to provide new functionality for ssh -(key revocation, key expiry, re-keying, fewer unintelligible prompts, -semantic authorization, etc) while taking advantage of existing but -often-unused functionality in OpenPGP. Additionally, the Monkeysphere -implementation does not require any patches to OpenSSH on the client -or server, but takes advantage of existing hooks, which makes it easy -to adopt. - -Specifically, the Monkeysphere allows users to automatically validate -ssh host keys through the Web of Trust, and it allows servers to -identify authorized users through the Web of Trust. Users decide -which certifications in the Web of Trust they put stock in (so they -are not spoofed by spurious certifications of host keys). Server -administrators decide whose certifications the server should put stock -in (so that the server is not spoofed by spurious certifications of -user keys). - -This presentation will go over how the Monkeysphere works; how you can -use it to increase the security of servers you maintain; how you can -use it to increase the security of accounts you connect to with ssh; -and we'll discuss future possibilities lurking in the ideas of the -Monkeysphere. - -Monkeysphere is currently available in the main Debian repository and -as a port in FreeBSD. A Slackbuild is available for Slackware, and -Monkeysphere itself should work on any POSIX-ish system with the -appropriate dependencies available. - -The Monkeysphere project began to coalesce in early 2008, and remains -an ongoing collaboration of many people, including: - - * Micah Anderson - * Mike Castleman - * Daniel Kahn Gillmor - * Ross Glover - * Matthew James Goins - * Greg Lyle - * Jamie McClelland - * Jameson Graef Rollins - -The project's main web site is http://web.monkeysphere.info/ diff --git a/doc/conferences/lca2010/bio b/doc/conferences/lca2010/bio deleted file mode 100644 index f358e02..0000000 --- a/doc/conferences/lca2010/bio +++ /dev/null @@ -1,23 +0,0 @@ -Daniel Kahn Gillmor (dkg) is a freelance Technology Advisor with a -particular interest in cryptography, user interface design, and -distributed systems as means to pursue the goals of user autonomy and -resistance to centralized control. He contributes discussion and -patches on several crypto-related lists, and is an active participant -in what remains of the IETF OpenPGP Working Group. He co-administers -one of the OpenPGP keyservers, and was dubiously involved in -publicizing the ongoing transition to a post-SHA1 Web of Trust. - -dkg works with schools, NGOs, activist groups, and some corporations -to help them understand their tech needs and risks, possible -solutions, and how to use and understand the tools they choose. He -works with several technology-focused organizations, including May -First/People Link (http://mayfirst.org/) and Riseup -(http://riseup.net). - -He is also a contributor to The Organic Internet -(http://mayfirst.org/organicinternet), which includes his essay about -structural flaws in the X.509 certificate model. - -dkg began working with free software in 2002, began work with the -other Monkeysphere developers in 2008, and became a Debian Developer -in 2009. People seem to laugh when they see his business card. diff --git a/doc/conferences/lca2010/experience b/doc/conferences/lca2010/experience deleted file mode 100644 index 8ca2a8e..0000000 --- a/doc/conferences/lca2010/experience +++ /dev/null @@ -1,26 +0,0 @@ -I've given several workshops and skillshares about the ideas behind -OpenPGP and how to use gpg and its various frontends to -small-to-medium groups (5 to 25 people). - -I led an effective skillshare on the nature of X.509-based -certifications and how they are used in SSL and TLS back in 2003 or -2004. - -I co-led a surprisingly large (~>50 people? packed room!) discussion -about free software and why it should matter to users as well as -developers a the Grassroots Media Conference a few years ago with -Alfredo Lopez and Laura Quilter. This was a very active discussion, -and topics ranged from motivation and policy to moderately technical -concerns. - -I presented a poster with a colleague on a novel acoustic correlation -method at ICASSP (the IEEE's International Conference on Acoustics, -Speech, and Signal Processing) 2001 (though i've recently let my IEEE -membership lapse). - -I've introduced numerous people to the monkeysphere via IRC -discussions, and have a strong handle on both: - - * the necessary details to keep a technical audience engaged - - * the bigger-picture goals to keep a non-technical audience engaged diff --git a/doc/conferences/lca2010/outline b/doc/conferences/lca2010/outline deleted file mode 100644 index 15c4868..0000000 --- a/doc/conferences/lca2010/outline +++ /dev/null @@ -1,62 +0,0 @@ - - - -The presentation is in three parts: - -Background ----------- - - * Why authentication using asymmetric crypto (as opposed to shared - secrets) is important on today's network. - - * Overview of how ssh uses asymmetric crypto authentication (user -> - host, host -> user) - - * Overview of relevant bits of OpenPGP (key -> User ID bindings, - certifications, usage flags, key -> subkey bindings) - - * Overview of keyservers (the idea of gossip, One Big Network, - propagation, issues around redundancy, logging, private access) - - -How ---- - - * How does the monkeysphere do it? (very brief under-the-hood) - - * How does a server administrator publish a host's ssh key to the Web - of Trust? How do they maintain it? - - * How does a user incorporate WoT-based host-key checking into their - regular ssh usage? - - * How does a user publish their own ssh identity to the WoT for hosts - to find it? How do they maintain it? - - * How does a server administrator tell a server to admit certain - people (as identified by the WoT) to certain accounts? How do they - tell the server which certifications are trustworthy? - -Possible Futures ----------------- - - * Use the Monkeysphere with ssh implementations other than OpenSSH - (dropbear, lsh, putty, etc) - - * Expansion of the Monkeysphere's out-of-band PKI mechanism for - authentication in protocols other than SSH (TLS, HTTPS) without - protocol modification. - - * Use of OpenPGP certificates directly in SSH. OpenPGP is referenced - in RFC 4253 already: optional, rarely implemented, and deliberately - ambiguous about how to calculate key->identity bindings. - - * Use of OpenPGP certificates for authentication directly in - protocols. RFC 5081 provides a mechanism for OpenPGP certificates - in TLS, but is similarly ambiguous about certificate verification. - - * Better end-user control over verification: Who or what are you - really connecting to? How do you know? How can this information - be effectively and intuitively displayed to a typical user? - - * What would you like to see? diff --git a/doc/conferences/lca2010/techrequirements b/doc/conferences/lca2010/techrequirements deleted file mode 100644 index cc0d1b9..0000000 --- a/doc/conferences/lca2010/techrequirements +++ /dev/null @@ -1 +0,0 @@ -no non-standard technical requirements should be necessary. diff --git a/doc/conferences/lca2010/title b/doc/conferences/lca2010/title deleted file mode 100644 index 36ef904..0000000 --- a/doc/conferences/lca2010/title +++ /dev/null @@ -1 +0,0 @@ -Using the Monkeysphere: effective, distributed key management for SSH using the Web of Trust diff --git a/doc/conferences/lca2010/videoabstract b/doc/conferences/lca2010/videoabstract deleted file mode 100644 index 7e1536c..0000000 --- a/doc/conferences/lca2010/videoabstract +++ /dev/null @@ -1 +0,0 @@ -do we have something like this? diff --git a/doc/conferences/seminar/abstract b/doc/conferences/seminar/abstract deleted file mode 100644 index 83fddfc..0000000 --- a/doc/conferences/seminar/abstract +++ /dev/null @@ -1,17 +0,0 @@ -Monkeysphere provides a robust, decentralized, out-of-band Public Key -Infrastructure (PKI) based on OpenPGP's Web of Trust. It is intended -to support any protocol which needs public-key authentication or -binding between public keys and real-world entities. Current -implementations include mutual authentication (both server and client) -for SSH and authentication of servers for HTTPS. The technique is -resistant to X.509's inherent single-issuer policy bias, allows use of -a single key for a host offering multiple services, and handles -initial contact, re-keying, and revocation better than OpenSSH's -traditional key continuity management (KCM) scheme. It also requires -no changes to on-the-wire protocols, and is transparently -interoperable with existing tools, so the migration path to the new -PKI is smooth (and encouraged). Discussion will include the merits -and drawbacks of the Monkeysphere, as well as its relationship to -in-band measures (such as the Server Name Indication (SNI) TLS -extension and the subjectAltName (sAN) extended attribute for X.509v3 -certificates) which provide some pieces of similar functionality. diff --git a/doc/conferences/seminar/outline b/doc/conferences/seminar/outline deleted file mode 100644 index 1531353..0000000 --- a/doc/conferences/seminar/outline +++ /dev/null @@ -1,43 +0,0 @@ -outline for 1 hr seminar talk to CS/security academics - - - key-based authentication is here to stay. (e.g. https, ssh). - - host vs. user - - - raises key management/distribution issues - - - what PKIs are available? X.509, OpenPGP, SPKI - - - social vulnerabilities - single-signer vs. multi-signer - - - protocol vulnerabilities - single cert vs. multi-cert (server - vs. client again) - - - utility for group-internal work, phased approach to public - - - -Stream-based communications over the public network have an -authentication problem. Most data streams are not authenticated in -either direction, and most of those that are authenticated in at least -one direction use authentication regimes which suffer from a range of -known structural problems. - -Public-key-based authentication offers security advantages over -shared-secret approaches, but it introduces additional questions of -key distribution, binding, and revocation. Two common solutions to -these problems on today's network are X.509 certificates (used by TLS -connections like HTTPS) and so-called "key continuity management" -(KCM) (used by popular SSH implementations and the "security -exceptions" interface for some web browsers). Both of these schemes -present security concerns of their own: KCM has trouble with initial -contact, key revocation, and re-keying; and X.509's single-issuer -certificate format has a systemic bias that selects for unaccountable -third-party authorities. New work ("the Monkeysphere") extends the -OpenPGP Web of Trust into authenticating stream-based communications -(instead of its traditional message-based environment of e-mails and -files) by means of a protocol-independent overlay. As a simple, -alternative PKI, the Monkeysphere resolves these failings, and also -provides features currently only available as protocol extensions -(such as SNI). - - |