22 files changed, 613 insertions, 91 deletions
diff --git a/website/bugs.mdwn b/website/bugs.mdwn
index d621500..bd437f9 100644
--- a/website/bugs.mdwn
+++ b/website/bugs.mdwn
@@ -2,10 +2,18 @@
 
 # Bugs #
 
-This is Monkeysphere's bug list.  You can also browse our [completed bugs](done).
+The Monkeysphere is moving to a [new issue tracking
+system](https://labs.riseup.net/code/projects/show/monkeysphere),
+hosted at [Riseup Labs](https://labs.riseup.net/code).  We're leaving
+this old bug list up during the transition.
 
-If you don't have commit access to the public repo, we'd appreciate
-you reporting bugs on [the monkeysphere mailing list](/community).
+If you use [Debian](htt[://debian.org), please consider submitting
+your bug to the [Debian BTS](http://bugs.debian.org/monkeysphere).
+
+You can also browse our [completed bugs](done).
+
+Please feel free to also ask any questions on the [the monkeysphere
+mailing list](/community).
 
 [[inline pages="./bugs/* and !./bugs/done and !link(done) 
 and !*/Discussion" actions=yes postform=yes show=0]]
diff --git a/website/bugs/posix_compliance.mdwn b/website/bugs/posix_compliance.mdwn
new file mode 100644
index 0000000..d418e98
--- /dev/null
+++ b/website/bugs/posix_compliance.mdwn
@@ -0,0 +1,12 @@
+It would be nice to make all of the Monkeysphere scripts POSIX
+compliant, for portability and light-weightedness.  Better POSIX
+compliance would probably at least be better for compatibility with
+o{ther,lder} versions of bash.  Unfortunately there are quite a few
+bashism at the moment, so this may not be trivial.  For instance:
+
+      servo:~/cmrg/monkeysphere/git 0$ checkbashisms -f src/monkeysphere-server 2>&1 | wc -l
+      50
+      servo:~/cmrg/monkeysphere/git 0$ 
+
+It looks like the biggest complication for this would be the
+occasional use of bash arrays.
diff --git a/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
index 65268c5..67bc9d2 100644
--- a/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
+++ b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
@@ -22,3 +22,100 @@ be hiding a bug, rather than getting it fixed correctly.
 Are there other ways we can deal with this problem?
 
 --dkg
+
+Here is an example when using monkeysphere-server
+add-identity-certifier on a host with a newly-installed monkeysphere
+installaton.  Note that running the same command a second time works
+as expected:
+
+     0 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+     gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+     gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+     gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+     gpg: failed to rebuild keyring cache: file open error
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: next trustdb check due at 2009-03-30
+     gpg: Total number processed: 1
+     gpg:               imported: 1  (RSA: 1)
+     Could not receive a key with this ID from the 'pool.sks-keyservers.net' keyserver.
+     255 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+     gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+     gpg: key D21739E9: "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" not changed
+     gpg: Total number processed: 1
+     gpg:              unchanged: 1
+
+     key found:
+     pub   4096R/D21739E9 2007-06-02 [expires: 2012-05-31]
+           Key fingerprint = 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@openflows.com>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+     uid       [ unknown] [jpeg image of size 3515]
+     sub   2048R/4BFA08E4 2008-06-19 [expires: 2009-06-19]
+     sub   4096R/21484CFF 2007-06-02 [expires: 2012-05-31]
+
+     Are you sure you want to add the above key as a
+     certifier of users on this system? (y/N) y
+     gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+     gpg: Total number processed: 1
+     gpg:               imported: 1  (RSA: 1)
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: next trustdb check due at 2009-03-30
+     gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+     This is free software: you are free to change and redistribute it.
+     There is NO WARRANTY, to the extent permitted by law.
+
+
+     pub  4096R/D21739E9  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+                          trust: unknown       validity: unknown
+     [ unknown] (1). Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+     [ unknown] (2)  Daniel Kahn Gillmor <dkg@openflows.com>
+     [ unknown] (3)  Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+     [ unknown] (4)  Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+     [ unknown] (5)  [jpeg image of size 3515]
+
+
+     pub  4096R/D21739E9  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+                          trust: unknown       validity: unknown
+      Primary key fingerprint: 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9
+
+          Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+          Daniel Kahn Gillmor <dkg@openflows.com>
+          Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+          Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+          [jpeg image of size 3515]
+
+     This key is due to expire on 2012-05-31.
+     Please decide how far you trust this user to correctly verify other users' keys
+     (by looking at passports, checking fingerprints from different sources, etc.)
+
+       1 = I trust marginally
+       2 = I trust fully
+
+
+     Please enter the depth of this trust signature.
+     A depth greater than 1 allows the key you are signing to make
+     trust signatures on your behalf.
+
+
+     Please enter a domain to restrict this signature, or enter for none.
+
+
+     Are you sure that you want to sign this key with your
+     key "ssh://pip.fifthhorseman.net" (9B83C17D)
+
+     The signature will be marked as non-exportable.
+
+
+     gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+     gpg: failed to rebuild keyring cache: file open error
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
+     gpg: next trustdb check due at 2009-03-30
+
+     Identity certifier added.
+     0 pip:~# 
diff --git a/website/bugs/use_getopts_instead_of_getopt.mdwn b/website/bugs/use_getopts_instead_of_getopt.mdwn
new file mode 100644
index 0000000..2ec68d6
--- /dev/null
+++ b/website/bugs/use_getopts_instead_of_getopt.mdwn
@@ -0,0 +1,19 @@
+Since Monkeysphere is using bash, it would be nice to use the shell
+build in getopts function, instead of the external getopt program.
+This would reduce an external dependency, which would definitely be
+better for portability.
+
+---
+
+So it looks like the sh built-in getopts does not include long options
+(eg. "--expire").  Is it worth getting rid of the long options for
+this?
+
+---
+
+Why not just get rid of getopts altogether and perform a simple
+argument-processing loop with bash string tests?  We're only invoking
+getopt in three places, and each invocation is no more complex than
+three arguments -- and most arguments take a separate parameter, which
+means that handling tricky arg blobs like -aCxr are not gonna be
+supported anyway.
diff --git a/website/bugs/useful_information.mdwn b/website/bugs/useful_information.mdwn
new file mode 100644
index 0000000..025d678
--- /dev/null
+++ b/website/bugs/useful_information.mdwn
@@ -0,0 +1,50 @@
+I would like to know, at INFO (default) log level, when the 
+monkeyspehere makes a "real" modification to my known\_hosts file; that 
+is, when it adds or deletes a key.
+
+Apparently this is hard because monkeysphere is currently configured to 
+delete all keys and then add good keys, so a key added for the first 
+time seems to the monkeysphere very similar to a key re-added ten 
+seconds after last login.
+
+Still, from a UI perspective, I want to know what monkeysphere is doing.
+
+------
+
+It looks like jrollins committed a change for reporting at INFO level
+when a host key gets added by the monkeysphere:
+2459fa3ea277d7b9289945748619eab1e3441e5c
+
+When i connect to a host whose key is not already present in my
+known_hosts file, i get the following to stderr:
+
+    ms: * new key for squeak.fifthhorseman.net added to known_hosts file.
+
+This doesn't fully close this bug, because we aren't notifying on key
+deletion, afaict.
+
+------
+
+So current log level DEBUG will output a message if the known host
+file has been modified.  If the issue is that you want to know at the
+default log level everytime the known\_hots file is modified, then we
+should just move this message to INFO instead of debug, and then maybe
+remove the message that I added above.  I was under the impression
+that the issue was more about notification that a *new* key was added
+to the known\_hosts file, and therefore the new INFO message above
+fixed that problem.  Should we do this instead?
+
+In general, more verbose log levels *do* tell the user what the
+monkeysphere is doing.  Moving to DEBUG log level will tell you pretty
+much everything that happens.  I do *not* think that this should be
+the default log level, though.
+
+------
+
+I wouldn't want to see an extremely verbose default log level.  But i
+do think that saying something like "key blah blah blah was stripped
+from your known\_hosts file because it was expired" (for example)
+would be useful.  I think this case would occur infrequently enough
+that it is worth reporting in the UI at the regular log level.
+
+  --dkg
diff --git a/website/doc.mdwn b/website/doc.mdwn
index 56498e8..28db2ef 100644
--- a/website/doc.mdwn
+++ b/website/doc.mdwn
@@ -2,27 +2,29 @@
 
 # Documentation #
 
-## Dependencies ##
-
-Monkeysphere relies on:
-
- * [GnuTLS](http://gnutls.org/) version 2.4.0 or later
- * [OpenSSH](http://openssh.com/)
- * [GnuPG](http://gnupg.org/)
-
 ## Getting started ##
 
  * [Downloading and installing](/download)
  * Getting started as a [user](/getting-started-user)
  * Getting started as a [server admin](/getting-started-admin)
+
+## Going further ##
+
+ * [Signing host keys](/signing-host-keys)
+
+## Under the hood ##
+
  * [Developing the monkeysphere](/community)
+ * [Technical details](/technical-details)
 
 ## References ##
 
- * [Initial specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
+ * [OpenSSH](http://openssh.com/)
+ * [GnuPG](http://www.gnupg.org/)
  * [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880)
  * [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252)
    * [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
+ * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
 
 ## Other ##
 
diff --git a/website/download.mdwn b/website/download.mdwn
index 1f27fde..a5c7479 100644
--- a/website/download.mdwn
+++ b/website/download.mdwn
@@ -2,10 +2,25 @@
 
 # Downloading and Installing #
 
+Once you've installed the packages, please see the [documentation
+page](/doc) to read up on how to get started [as a regular
+user](/getting-started-user) or [as a systems
+administrator](/getting-started-admin).
+
+## Dependencies ##
+
+Monkeysphere relies on:
+
+ * [GnuTLS](http://gnutls.org/)
+  * version 2.4 or later for general use
+  * [version 2.6 or later](/news/gnutls-2.6-enables-monkeysphere) to use the `monkeysphere subkey-to-ssh-agent` subcommand.
+ * [OpenSSH](http://openssh.com/)
+ * [GnuPG](http://gnupg.org/)
+
 ## Debian ##
 
-If you are running a Debian system, you can install Monkeysphere
-by following these directions:
+If you are running a [Debian](http://www.debian.org/) system, you can
+install Monkeysphere by following these directions:
 
 You can add this repo to your system by putting the following lines in
 `/etc/apt/sources.list.d/monkeysphere.list`:
@@ -13,23 +28,20 @@ You can add this repo to your system by putting the following lines in
 	deb http://archive.monkeysphere.info/debian experimental monkeysphere
 	deb-src http://archive.monkeysphere.info/debian experimental monkeysphere
 
-The repository is currently signed by the Monkeysphere archive
-signing key, key id EB8AF314 (fingerprint: `2E8D
-D26C 53F1 197D DF40 3E61 18E6 67F1 EB8A F314`).  To cryptographically
+The repository is currently signed by [The Monkeysphere archive
+signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C
+53F1 197D DF40 3E61 18E6 67F1 EB8A F314`).  To cryptographically
 verify the packages, you'll want to [add this key to your apt
 configuration after verifying its integrity](/archive-key).
 
 To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will
-also need [version 2.6 of GnuTLS](/news/gnutls-2.6-enables-monkeysphere),
-which is available in Debian experimental.
-
-Once you've installed the packages, you might want to read up on how
-to get started [as a regular user](/getting-started-user) or [as a
-systems administrator](/getting-started-admin).
+also need [version 2.6 of
+GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is available in
+Debian experimental.
 
 ## FreeBSD ##
 
-There is [now a FreeBSD port available](/news/FreeBSD-port-available/)
+There is [now a FreeBSD port available](/news/FreeBSD-port-available)
 for the Monkeysphere.
 
 While the monkeysphere is not officially included in the ports tree
@@ -51,44 +63,50 @@ port with:
     cd /usr/ports/security/monkeysphere
     make && make install
 
+To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will
+also need [version 2.6 of
+GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is [slated to be
+available after the 7.1 ports slush is
+over](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127330).
+
 ## Source ##
 
 For those that would like to download the source directly, [the source
 is available](/community) via [git](http://git.or.cz/).
 
 The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.19.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.22.orig.tar.gz)
 is also available, and has these checksums:
 
 <pre>
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.19 release:
+checksums for the monkeysphere 0.22 release:
 
 MD5:
-64c643dd0ab642bbc8814aec1718000e  monkeysphere_0.19.orig.tar.gz
+2bb00c86323409b98aff53f94d9ce0a6  monkeysphere_0.22.orig.tar.gz
 
 SHA1:
-ea3c263b084d2c0b7922cd96677be192201700e4  monkeysphere_0.19.orig.tar.gz
+312882ad192b8e7303e3e0ac9db20ac8ddc529b3  monkeysphere_0.22.orig.tar.gz
 
 SHA256:
-321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522  monkeysphere_0.19.orig.tar.gz
+2566facda807a67a4d2d6de3833cccfa0b78b454909e8d25f47a235a9e621b24  monkeysphere_0.22.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSQgMCRjmZ/HrivMUAQI2Jg//bZoSxx0Nor6uBikRGHQny8LzgUT/0kpv
-xg0eRmL9kQwhGis/sdOiJ9cHykJ1ukhRiIZGfxPBdxiQbWGs9nM6147TGIDgqx6D
-yYIW41dvzTRB0TwjNd7g1q6MaSiDNuU/6dD+ooM3/IiR8PDR7X8we0WhSM63KD+v
-HeMsN51UMhBfeaZ06fxrjYoJCvnp0YNYJpLuvtd5tzxqJCJA2Vh5VqJMbMP/MtbY
-zM/zuNXRI1mJnQZeU++IaAnimX7c7SsGjLaloZG8mapYqqY0tKJ5Yod6aeloq+i5
-wI4gZuuPcgAntD6cnPaqB1ni/d71yywme5F75zpezXGzKzDSh1J5oE6akjMi2lJE
-DSOKp7zb7TvDwXxCl+vOVod81F260gPhonlTsD/LpBfPGPBdWlWP+fFchb9N/a2u
-weCMhUYX1u8Jg/bHIycjoQjPEgZwCkJT9RKF1NTLyWvb4P4a3sPe+fauCMZFbTQ/
-3EYPRBY+PfIDO09XswdB5O3gq6B33ChyWJpdwlXEEHMcFt1FuezuP0avVM9/3ZNp
-MkqalDrUEd65X8o+CE3KjFxjMceVdda9mz2netnoHrFMW6X3mFqE2fTldgHi1mCT
-hMCqpPzY04+HOHYZ0GapR3pvedd4dwhkNYrdpckp+nJMTRfexEPH/NXDVNH/mxKg
-jLoIos0SaiY=
-=VUsz
+iQIVAwUBSTCiPRjmZ/HrivMUAQLg/BAAsdLsCQYSmvYLrYy1HiARtZOckqSOFv5e
+lnoOYEXKCXVjKqYUn4gjOkP2kQlnEOazfXrT/pO4u0AKUbf3C8bPDpIeao8uuPXI
+GG6HOWtsY93a2g8DM9fOzadIwhhBc9U7VwizBwFsxMw6xFTIKfoqqQonfEYFFLb6
+zyJVcfhmmGjgoJ9qA3AlYAf/i3Y/fcXh+YMI5J3Gez3BTVcep41UlcQUyd33pHF6
+aHdSWCzrotFual3fbf0meQewbBCW3JRBsbmCHQltbO/kNrtyfXb3Rp4oLiffcmpI
+DhfpFeonVHnUI9CVHmL7qbnBsgu5Q8l8Fxzu5pyzrGJxlvqBCpG8JM2FI0jJxw6o
+LQkmXCHteYKyopqKz5X0ATCot2Eoc9+kNEHwNWI37XbY7AV1XOOzGiaMjl+w8aUR
+QM8+Gi0h7SU2KuEogIsq1TghsDp3BJpTyBnc72ttLt2BvMzANOJnM8cmQqW8bOpz
+9Jdob+ISKkKG9q0wp61gb+8/f7mZKNtpr2rpRVYyjHgwR5XfbnS+gaD2B1NyG7NY
+yxW7fHpTsuwqcm2ONjZCDpEj0bXM0cL7r8c3J0L5kRCiN05c/KKYTNC70kTwCeQa
+ninihvIJal0Wu3LZxtYmtxuApq3wmc8NPo66C+TC24YGtxxJuZMS1qOlPFIPADIa
+EeBVdDmRbBw=
+=FmCP
 -----END PGP SIGNATURE-----
 </pre>
diff --git a/website/features.mdwn b/website/features.mdwn
new file mode 100644
index 0000000..1aabda1
--- /dev/null
+++ b/website/features.mdwn
@@ -0,0 +1,4 @@
+[[meta title="Features"]]
+
+# Features #
+
diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn
index 6c8ad53..5c7203d 100644
--- a/website/getting-started-admin.mdwn
+++ b/website/getting-started-admin.mdwn
@@ -2,58 +2,106 @@ Monkeysphere Server Administrator README
 ========================================
 
 As the administrator of an SSH server, you can take advantage of the
-monkeysphere in two ways: you can publish the host key of your machine
-so that your users can have it automatically verified, and you can set
-up your machine to automatically identify connecting users by their
-presence in the OpenPGP web of trust.
+monkeysphere in two ways:
+
+1. you can publish the host key of your machine so that your users can
+have it automatically verified, and
+
+2. you can set up your machine to automatically identify connecting
+users by their presence in the OpenPGP web of trust.
+
+These things are not mutually required, and it is in fact possible to
+do one without the other.  However, it is highly recommend that you at
+least do the first.  Even if you decide that you do not want to use
+the monkeysphere to authenticate users to your system, you should at
+least the host key into the Web of Trust so that your users can be
+sure they're connecting to the correct machine.
+
+
+Monkeysphere for host verification
+==================================
 
 Server host key publication
 ---------------------------
-To generate and publish a server host key:
+
+To begin, you must first generate a server host key:
 
 	# monkeysphere-server gen-key
-	# monkeysphere-server publish-key
 
 This will generate the key for server with the service URI
-(`ssh://server.example.net`).  The server admin should now sign the
-server key so that people in the admin's web of trust can identify the
-server without manual host key checking:
+(`ssh://server.example.net`).  Output the new key information with the
+'show-key' command:
+
+	# monkeysphere-server show-key
+
+Once the key has been generated, it needs to be publish to the Web of
+Trust:
+
+	# monkeysphere-server publish-key
+
+The server admin should now sign the server key so that people in the
+admin's web of trust can identify the server without manual host key
+checking.  On your (the admin's) local machine retrieve the host key:
 
 	$ gpg --search '=ssh://server.example.net'
+
+Now sign the server key:
+
 	$ gpg --sign-key '=ssh://server.example.net'
 
+Make sure you compare the fingerprint of the retrieved with the one
+output with the 'show-key' command above, to verify you are signing
+the correct key.  Finally, publish your signatures back to the
+keyservers:
+
+	$ gpg --send-key '=ssh://server.example.net'
 
 Update OpenSSH configuration files
 ----------------------------------
 
 To use the newly-generated host key for ssh connections, put the
-following line in `/etc/ssh/sshd_config` (be sure to remove references
-to any other keys):
+following line in `/etc/ssh/sshd_config` (be sure to comment out or
+remove any other HostKey references):
 
 	HostKey /var/lib/monkeysphere/ssh_host_rsa_key
 
-FIXME: should we just suggest symlinks in the filesystem here instead?
+FIXME: What about DSA host keys?  The SSH RFC seems to require
+implementations support DSA, though OpenSSH will work without a DSA
+host key.
+
+
+Monkeysphere for user authentication
+====================================
+
+A host can maintain ssh `authorized_keys` files automatically for its
+users with the Monkeysphere.  These `authorized_keys` files can then
+be used to enable users to use the monkeysphere to authenticate to
+your machine using the OpenPGP web of trust.
 
-FIXME: What about DSA host keys?  The SSH RFC seems to require implementations support DSA, though OpenSSH will work without a DSA host key.
+Before this can happen, the host must first have a host key to use for
+user key verification.  If you have not already generated a host key
+(as in the host verification instructions above), generate one now:
 
-To enable users to use the monkeysphere to authenticate using the
-OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again,
-making sure that no other AuthorizedKeysFile directive exists):
+	# monkeysphere-server gen-key
+
+Update OpenSSH configuration files
+----------------------------------
+
+SSH must be configured to point to the monkeysphere generated
+`authorized_keys` file.  Add this line to `/etc/ssh/sshd_config`
+(again, making sure that no other AuthorizedKeysFile directive is left
+uncommented):
 
 	AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
 
-And then read the section below about how to ensure these files are
-maintained.  You'll need to restart `sshd` to have your changes take
-effect.  As with any change to `sshd_config`, be sure to retain an
-existing session to the machine while you test your changes so you
-don't get locked out.
+You'll need to restart `sshd` to have your changes take effect.  As
+with any change to `sshd_config`, be sure to retain an existing
+session to the machine while you test your changes so you don't get
+locked out.
 
 Monkeysphere authorized_keys maintenance
 ----------------------------------------
 
-A host can maintain ssh authorized_keys files automatically for its
-users with the Monkeysphere.
-
 For each user account on the server, the userids of people authorized
 to log into that account would be placed in:
 
@@ -70,12 +118,12 @@ If the admin's OpenPGP keyid is `$GPGID`, then on the server run:
 
 	# monkeysphere-server add-identity-certifier $GPGID
 
-To update the monkeysphere authorized_keys file for user "bob" using
+To update the monkeysphere `authorized_keys` file for user "bob" using
 the current set of identity certifiers, run:
 
 	# monkeysphere-server update-users bob
 
-To update the monkeysphere authorized_keys file for all users on the
+To update the monkeysphere `authorized_keys` file for all users on the
 the system, run the same command with no arguments:
 
 	# monkeysphere-server update-users
diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn
index 66378dc..9b04edc 100644
--- a/website/getting-started-user.mdwn
+++ b/website/getting-started-user.mdwn
@@ -20,19 +20,21 @@ done with a simple cronjob.  An example of crontab line to do this is:
 
 This would refresh your keychain every day at noon.
 
+
 Install the monkeysphere software on your system
 ------------------------------------------------
 
 If you haven't installed monkeysphere yet, you will need to [download
-and install] (/download) before continuing.
+and install](/download) before continuing.
 
 Make sure that you have the GnuTLS library version 2.6 or later
 installed on your system. If you can't (or don't want to) upgrade to
 GnuTLS 2.6 or later, there are patches for GnuTLS 2.4 available in
 [the Monkeysphere git repo](/community).
 
+
 Keeping your `known_hosts` file in sync with your keyring
------------------------------------------------------------
+---------------------------------------------------------
 
 With your keyring updated, you want to make sure that OpenSSH can
 still see the most recent trusted information about who the various
@@ -47,6 +49,7 @@ key for that host to the `known_hosts` file if one is found.  This
 command could be added to a crontab as well, if desired.
 
 
+
 Using `monkeysphere-ssh-proxycommand`(1)
 ----------------------------------------
 
@@ -91,6 +94,7 @@ If you have more than one secret key, you'll need to specify the key
 you want to add the subkey to on the command line.
 
 
+
 Using your OpenPGP authentication key for SSH
 ---------------------------------------------
 
@@ -105,6 +109,7 @@ you can feed your authentication subkey to your ssh agent by running:
 
 FIXME: using the key with a single ssh connection?
 
+
 Establish trust
 ---------------
 
diff --git a/website/index.mdwn b/website/index.mdwn
index 2e756ae..4abeea0 100644
--- a/website/index.mdwn
+++ b/website/index.mdwn
@@ -69,12 +69,11 @@ To emphasize: ***no modifications to SSH are required to use the
 Monkeysphere***.  OpenSSH can be used as is; completely unpatched and
 "out of the box".
 
-## Links ##
+## License ##
 
-* [OpenSSH](http://openssh.com/)
-* [GnuPG](http://www.gnupg.org/)
-* [Secure Shell Authentication Protocol RFC 4252](http://tools.ietf.org/html/rfc4252)
-* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880)
+All Monkeysphere software is copyright, 2007, by [the
+authors](community), and released under [GPL, version 3 or
+later](http://www.gnu.org/licenses/gpl-3.0.html).
 
 ----
 
diff --git a/website/local.css b/website/local.css
index c4b59e9..de0f196 100644
--- a/website/local.css
+++ b/website/local.css
@@ -58,31 +58,31 @@ pre {
   overflow: auto;
 }
 
-table.sitenav { 
+table.sitenav {
   border-bottom: 2px solid black;
   padding: 0px;
   width: 100%;
   font-size: larger;
 }
 
-table.sitenav img.logo { 
-  margin: 0px; 
-  padding: 0px; 
+table.sitenav img.logo {
+  margin: 0em;
+  padding: 0px;
   vertical-align: bottom;
 }
 
+table.sitenav img.title {
+  margin: 0px;
+  padding: 0px;
+  vertical-align: top;
+}
+
 table.sitenav a { 
   font-weight: bold;
   margin-right: 1em;
   font-size: smaller;
 }
 
-/* trying to align the sitenav links roughly with the text in the monkeysphere logo */
-td#sitenav { 
-  vertical-align: bottom;
-  padding-bottom: 30px;
-}
-
 table.sitenav span.selflink { 
   font-weight: bold;
   text-decoration: underline;
diff --git a/website/logo.simple.png b/website/logo.simple.png
new file mode 100644
index 0000000..5cc69eb
--- /dev/null
+++ b/website/logo.simple.png
diff --git a/website/logo.title.png b/website/logo.title.png
new file mode 100644
index 0000000..a203f8b
--- /dev/null
+++ b/website/logo.title.png
diff --git a/website/news/Monkeysphere-in-Debian.mdwn b/website/news/Monkeysphere-in-Debian.mdwn
new file mode 100644
index 0000000..edad432
--- /dev/null
+++ b/website/news/Monkeysphere-in-Debian.mdwn
@@ -0,0 +1,15 @@
+[[meta title="Monkeysphere now in Debian!"]]
+
+[The Monkeysphere has made it into
+Debian!](http://packages.debian.org/sid/monkeysphere)
+
+It is in Debian unstable ("sid") now, which means it won't make it
+into the next stable release ("lenny"), but hopefully will make it
+into the stable release after that ("squeeze").
+
+Congratulations to all the work by all the [monkeysphere
+developers](/community), and to Micah Anderson for being our Debian
+sponsor.
+
+Please feel free to start submitting bug reports to the [Debian
+BTS](http://bugs.debian.org/monkeysphere).
diff --git a/website/news/release-0.20-1.mdwn b/website/news/release-0.20-1.mdwn
new file mode 100644
index 0000000..841369d
--- /dev/null
+++ b/website/news/release-0.20-1.mdwn
@@ -0,0 +1,18 @@
+[[meta title="Monkeysphere 0.20-1 released!"]]
+
+Monkeysphere 0.20-1 has been released.  
+
+Notes from the changelog:
+
+<pre>
+  [ Daniel Kahn Gillmor ]
+  * ensure that tempdirs are properly created, bail out otherwise instead
+    of stumbling ahead.
+  * minor fussing with the test script to make it cleaner.
+
+  [ Jameson Graef Rollins ]
+  * clean up Makefile to generate more elegant source tarballs.
+  * make myself the maintainer.
+</pre>
+
+[[Download]] it now!
diff --git a/website/news/release-0.21-1.mdwn b/website/news/release-0.21-1.mdwn
new file mode 100644
index 0000000..e807775
--- /dev/null
+++ b/website/news/release-0.21-1.mdwn
@@ -0,0 +1,10 @@
+[[meta title="Monkeysphere 0.21-1 released!"]]
+
+Monkeysphere 0.21-1 has been released.  
+
+Notes from the changelog:
+
+<pre>
+</pre>
+
+[[Download]] it now!
diff --git a/website/news/release-0.22-1.mdwn b/website/news/release-0.22-1.mdwn
new file mode 100644
index 0000000..078b605
--- /dev/null
+++ b/website/news/release-0.22-1.mdwn
@@ -0,0 +1,25 @@
+[[meta title="Monkeysphere 0.22-1 released!"]]
+
+Monkeysphere 0.22-1 has been released.  
+
+Notes from the changelog:
+
+<pre>
+  * New upstream release:
+  [ Jameson Graef Rollins ]
+
+    - added info log output when a new key is added to known_hosts file.
+    - added some useful output to the ssh-proxycommand for "marginal"
+      cases where keys are found for host but do not have full validity.
+    - force ssh-keygen to read from stdin to get ssh key fingerprint.
+
+  [ Daniel Kahn Gillmor ]
+
+    - automatically output two copies of the host's public key: one
+    standard ssh public key file, and the other a minimal OpenPGP key with
+    just the latest valid self-sig.
+    - debian/control: corrected alternate dependency from procfile to
+    procmail (which provides /usr/bin/lockfile)
+</pre>
+
+[[Download]] it now!
diff --git a/website/sidebar.mdwn b/website/sidebar.mdwn
index fe21fc5..4783d2a 100644
--- a/website/sidebar.mdwn
+++ b/website/sidebar.mdwn
@@ -1,13 +1,19 @@
 <table class="sitenav" cellpadding="0" cellspacing="0">
-<tbody><tr><td>
-<a class="logo" href="/"><img class="logo" src="/logo.png" alt="monkeysphere" width="343" height="85" /></a>
-</td><td id="sitenav">
-
+<colgroup span="1" width="120" />
+<tr>
+<td rowspan="2"><a href="/"><img class="logo" src="/logo.simple.png" alt="monkeysphere" /></a></td>
+<td><a href="/"><img class="title" src="/logo.title.png" alt="monkeysphere" /></a></td>
+</tr><tr>
+<td>
 [[WHY?|why]]
 [[DOWNLOAD|download]]
 [[DOCUMENTATION|doc]] 
 [[NEWS|news]]
 [[COMMUNITY|community]]
-[[BUGS|bugs]]
+<a href="https://labs.riseup.net/code/wiki/monkeysphere">WIKI</a>
+<a href="https://labs.riseup.net/code/projects/monkeysphere/issues">BUGS</a>
+[[VISION|vision]]
+</td>
+</tr>
+</table>
 
-</td></tr></tbody></table>
diff --git a/website/signing-host-keys.mdwn b/website/signing-host-keys.mdwn
new file mode 100644
index 0000000..1eb61a0
--- /dev/null
+++ b/website/signing-host-keys.mdwn
@@ -0,0 +1,127 @@
+# Signing a host's SSH key using OpenPGP #
+
+This page is meant to address the issue of signing OpenPGP-based SSH
+host keys.  Machines are not people, so the circumstances under which
+one should sign a host key are different from those under which one
+should sign another person's key.
+
+# Why are signatures on an SSH host key important? #
+
+In order for users to validate a host (an SSH server) in a
+monkeysphere-enabled network, the host key must have *full* calculated
+validity from the perspective of the connecting user.  If the user has
+not themselves signed the server's key, then the server's key can only
+be valid if other people that the user trusts have signed the key.
+
+If only one person has signed the server's key, then the user must
+fully trust the single person who has signed the host key.  Full trust
+should be granted sparingly and with consideration, though, so unless
+the user knows the server admin very well, they will in general not
+have full trust of this person.
+
+However, full trust of the host key can also be achieved if the
+server key has been signed by three or more people that the user has
+ *marginal* trust of.  In other words, three or more *marginally*
+trusted signatures equals one *fully* trusted signature.  It is much
+more common for users to have marginal trust of other users in the Web
+of Trust.  For this reason, it is advisable to have as many people
+sign the server key as possible.
+
+## What information should you have before signing a host key? ##
+
+Before signing the key of a person, you want to do two things:
+
+1. verify the identity of the person.
+2. verify that the person is actually in control of the key that you
+are signing.
+
+For a server, you want to do basically the same thing:
+
+1. verify the identity of the server.
+2. verify that the server is actually in control of the key that you
+are signing.
+
+However, verifying these things for a server is less intuitive than it
+is for a human.
+
+Verifying that the host is in control of the key is, in principle,
+straightforward.  If you are logged on to the machine in question,
+then you can check directly that the key exists on the system.
+
+What is not so straightforward is what exactly it means to "verify the
+identity" of a remote server on the internet?  The identity in this
+case is the fully qualified domain name (FQDN) of the host.  Verifying
+this identity amounts to being sure that the host in question really
+is located at that FQDN.
+
+## Signing the host key ##
+
+If you are the person (or persons) that actually setup the server and
+configured Monkeysphere and ssh on the server, then you should sign
+the host key as part of that process.  When the server is first set
+up, the administrators who set it up are the only ones who can
+actually vouch for the server key, so their signatures are necessary
+to get things going.  Their signatures are also necessary so that they
+can validate the host key themselves and log into the server via
+monkeysphere-enabled ssh in the future.
+
+If you did not set up the server initially, you do not have an
+accumulated full trust of the person(s) who did, and you do not
+necessarily have console access to the server directly, it's hard to
+confidently verify the server identity and key ownership.  You would
+like to be able to walk up to the server, log in at the console, and
+get the fingerprint of the ssh host key directly.  But this is usually
+impossible.
+
+However, it is still possible to verify the server identity *and*
+server ownership of the key, even in this case.
+
+## Remotely verifying host identity and key possession ##
+
+It is in fact possible to verify the identity and key ownership of a
+server in one fell swoop with monkeysphere-enabled ssh.  Here is the
+procedure:
+
+> **Attempt to make a monkeysphere-enabled ssh connection to the host in
+question.  Monkeysphere will check that the ssh host key offered by the
+host matches the OpenPGP key with the correct host FQDN user ID.  If
+the ssh host key and the OpenPGP key with the correct user ID match,
+then you will have effectively:**
+
+>**1. verified the host identity, because you actually connected to the
+host in question, which you know because you:**
+
+>**2. verified the host is in control of the key, because the ssh host
+key offered by the host matches the OpenPGP key with correct host FQDN
+user ID.**
+
+Here is an example:
+
+	servo:~ 0$ ssh zimmermann.mayfirst.org
+	-------------------- Monkeysphere warning -------------------
+	Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
+	An OpenPGP key matching the ssh key offered by the host was found:
+	
+	pub   2048R/860E8F9C 2008-10-29 [expires: 2009-02-26]
+	uid       [marginal] ssh://zimmermann.mayfirst.org
+	sig!         76CC057D 2008-11-15  Jamie McClelland <jamie@mayfirst.org>
+	sig!3        860E8F9C 2008-10-29  ssh://zimmermann.mayfirst.org
+	sig!         D21739E9 2008-10-29  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+	sig!         1CF2D62A 2008-11-16  Micah Anderson <micah@riseup.net>
+	
+	RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
+	-------------------- ssh continues below --------------------
+	The authenticity of host 'zimmermann.mayfirst.org (<no hostip for proxy command>)' can't be established.
+	RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
+	No matching host key fingerprint found in DNS.
+	Are you sure you want to continue connecting (yes/no)? no
+	Host key verification failed.
+	servo:~ 255$ 
+
+I have attempted to connect to the host zimmermann.mayfirst.org.
+zimmermann's host key has only *marginal* validity for the FQDN user
+ID in question, so I am not able to connect.  However, the
+Monkeysphere has checked that the ssh host key actually does match the
+OpenPGP key with the correct user ID `ssh://zimmermann.mayfirst.org`.
+I have therefore verified the identity of zimmermann, and verified
+that zimmermann is in possession of the key in question.
diff --git a/website/technical-details.mdwn b/website/technical-details.mdwn
new file mode 100644
index 0000000..902e356
--- /dev/null
+++ b/website/technical-details.mdwn
@@ -0,0 +1,28 @@
+[[meta title="Technical Details"]]
+
+# Technical Details #
+
+Under construction.
+
+## Host key verification ##
+
+When an ssh connection is initiated, the ssh client checks that the
+host key presented by the server matches one found in the connecting
+user's `known_hosts` file.  If so, the ssh client allows the
+connection to continue.  If not, the client asks the user if they
+would like to accept the host key for future session by asking the
+user to verify the host key's fingerprint.
+
+### Adding a server to the monkeysphere ###
+
+Servers are "monkeysphere enabled" by generating an OpenPGP
+authentication key for the server, translating the key into on ssh
+key, and publishing the host key to the Web of Trust.
+
+### Verifying a host key ###
+
+## User authentication ##
+
+### Adding an individual to the monkeysphere ###
+
+### Verifying a user key ###
diff --git a/website/vision.mdwn b/website/vision.mdwn
new file mode 100644
index 0000000..281bc72
--- /dev/null
+++ b/website/vision.mdwn
@@ -0,0 +1,31 @@
+[[meta title="Our vision for the future of the monkeysphere"]]
+
+## External Validation Agent ##
+
+This is probably at the crux of the Monkeysphere vision for the future:
+
+* [Simon Josefsson proposed out-of-process certificate verification model in gnutls-devel](http://news.gmane.org/find-root.php?group=gmane.comp.encryption.gpg.gnutls.devel&article=3231)
+* [Werner Koch's dirmngr](http://www.gnupg.org/documentation/manuals/dirmngr/)
+* [GnuTLS wiki external validation](http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation)
+* [Pathfinder PKI validation](http://code.google.com/p/pathfinder-pki/) (includes validation plugins for OpenSSL and LibNSS).
+
+## TLS transition strategies ##
+
+While [RFC 5081](http://tools.ietf.org/html/rfc5081) is quite a while
+off from widespread adoption, it would be good to have an interim
+translation step.  This is analogous to the SSH work we've done, where
+the on-the-wire protocol remains the same, but the keys themselves are
+looked up in the OpenPGP WoT.
+
+Firefox extensions that deal with certificate validation seem to be
+the easiest path toward demonstrating this technique.  We should look
+at:
+
+* [SSL Blacklist](http://codefromthe70s.org/sslblacklist.aspx)
+* [Perspectives](http://www.cs.cmu.edu/~perspectives/firefox.html)
+* there is another firefox extension that basically disables all TLS certificate checking.  The download page says things like "this is a bad idea" and "do not install this extension", but i'm unable to find it at the moment.
+
+## Related discussions ##
+
+* [Wandering Thoughts blog discussion about Web of Trust flaws](http://utcc.utoronto.ca/~cks/space/blog/tech/WebOfTrustFlaws?showcomments)
+* [Wandering Thoughts blog discussion about certificate authorities](http://utcc.utoronto.ca/~cks/space/blog/web/SSLCANeed?showcomments)