15 files changed, 330 insertions, 70 deletions
diff --git a/website/bugs.mdwn b/website/bugs.mdwn
index d621500..bd437f9 100644
--- a/website/bugs.mdwn
+++ b/website/bugs.mdwn
@@ -2,10 +2,18 @@
 
 # Bugs #
 
-This is Monkeysphere's bug list.  You can also browse our [completed bugs](done).
+The Monkeysphere is moving to a [new issue tracking
+system](https://labs.riseup.net/code/projects/show/monkeysphere),
+hosted at [Riseup Labs](https://labs.riseup.net/code).  We're leaving
+this old bug list up during the transition.
 
-If you don't have commit access to the public repo, we'd appreciate
-you reporting bugs on [the monkeysphere mailing list](/community).
+If you use [Debian](htt[://debian.org), please consider submitting
+your bug to the [Debian BTS](http://bugs.debian.org/monkeysphere).
+
+You can also browse our [completed bugs](done).
+
+Please feel free to also ask any questions on the [the monkeysphere
+mailing list](/community).
 
 [[inline pages="./bugs/* and !./bugs/done and !link(done) 
 and !*/Discussion" actions=yes postform=yes show=0]]
diff --git a/website/bugs/posix_compliance.mdwn b/website/bugs/posix_compliance.mdwn
new file mode 100644
index 0000000..d418e98
--- /dev/null
+++ b/website/bugs/posix_compliance.mdwn
@@ -0,0 +1,12 @@
+It would be nice to make all of the Monkeysphere scripts POSIX
+compliant, for portability and light-weightedness.  Better POSIX
+compliance would probably at least be better for compatibility with
+o{ther,lder} versions of bash.  Unfortunately there are quite a few
+bashism at the moment, so this may not be trivial.  For instance:
+
+      servo:~/cmrg/monkeysphere/git 0$ checkbashisms -f src/monkeysphere-server 2>&1 | wc -l
+      50
+      servo:~/cmrg/monkeysphere/git 0$ 
+
+It looks like the biggest complication for this would be the
+occasional use of bash arrays.
diff --git a/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
index 65268c5..67bc9d2 100644
--- a/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
+++ b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
@@ -22,3 +22,100 @@ be hiding a bug, rather than getting it fixed correctly.
 Are there other ways we can deal with this problem?
 
 --dkg
+
+Here is an example when using monkeysphere-server
+add-identity-certifier on a host with a newly-installed monkeysphere
+installaton.  Note that running the same command a second time works
+as expected:
+
+     0 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+     gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+     gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+     gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+     gpg: failed to rebuild keyring cache: file open error
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: next trustdb check due at 2009-03-30
+     gpg: Total number processed: 1
+     gpg:               imported: 1  (RSA: 1)
+     Could not receive a key with this ID from the 'pool.sks-keyservers.net' keyserver.
+     255 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+     gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+     gpg: key D21739E9: "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" not changed
+     gpg: Total number processed: 1
+     gpg:              unchanged: 1
+
+     key found:
+     pub   4096R/D21739E9 2007-06-02 [expires: 2012-05-31]
+           Key fingerprint = 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@openflows.com>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+     uid       [ unknown] Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+     uid       [ unknown] [jpeg image of size 3515]
+     sub   2048R/4BFA08E4 2008-06-19 [expires: 2009-06-19]
+     sub   4096R/21484CFF 2007-06-02 [expires: 2012-05-31]
+
+     Are you sure you want to add the above key as a
+     certifier of users on this system? (y/N) y
+     gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+     gpg: Total number processed: 1
+     gpg:               imported: 1  (RSA: 1)
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: next trustdb check due at 2009-03-30
+     gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+     This is free software: you are free to change and redistribute it.
+     There is NO WARRANTY, to the extent permitted by law.
+
+
+     pub  4096R/D21739E9  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+                          trust: unknown       validity: unknown
+     [ unknown] (1). Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+     [ unknown] (2)  Daniel Kahn Gillmor <dkg@openflows.com>
+     [ unknown] (3)  Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+     [ unknown] (4)  Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+     [ unknown] (5)  [jpeg image of size 3515]
+
+
+     pub  4096R/D21739E9  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+                          trust: unknown       validity: unknown
+      Primary key fingerprint: 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9
+
+          Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+          Daniel Kahn Gillmor <dkg@openflows.com>
+          Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+          Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+          [jpeg image of size 3515]
+
+     This key is due to expire on 2012-05-31.
+     Please decide how far you trust this user to correctly verify other users' keys
+     (by looking at passports, checking fingerprints from different sources, etc.)
+
+       1 = I trust marginally
+       2 = I trust fully
+
+
+     Please enter the depth of this trust signature.
+     A depth greater than 1 allows the key you are signing to make
+     trust signatures on your behalf.
+
+
+     Please enter a domain to restrict this signature, or enter for none.
+
+
+     Are you sure that you want to sign this key with your
+     key "ssh://pip.fifthhorseman.net" (9B83C17D)
+
+     The signature will be marked as non-exportable.
+
+
+     gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+     gpg: failed to rebuild keyring cache: file open error
+     gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+     gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
+     gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
+     gpg: next trustdb check due at 2009-03-30
+
+     Identity certifier added.
+     0 pip:~# 
diff --git a/website/bugs/use_getopts_instead_of_getopt.mdwn b/website/bugs/use_getopts_instead_of_getopt.mdwn
new file mode 100644
index 0000000..2ec68d6
--- /dev/null
+++ b/website/bugs/use_getopts_instead_of_getopt.mdwn
@@ -0,0 +1,19 @@
+Since Monkeysphere is using bash, it would be nice to use the shell
+build in getopts function, instead of the external getopt program.
+This would reduce an external dependency, which would definitely be
+better for portability.
+
+---
+
+So it looks like the sh built-in getopts does not include long options
+(eg. "--expire").  Is it worth getting rid of the long options for
+this?
+
+---
+
+Why not just get rid of getopts altogether and perform a simple
+argument-processing loop with bash string tests?  We're only invoking
+getopt in three places, and each invocation is no more complex than
+three arguments -- and most arguments take a separate parameter, which
+means that handling tricky arg blobs like -aCxr are not gonna be
+supported anyway.
diff --git a/website/doc.mdwn b/website/doc.mdwn
index cd7bc76..28db2ef 100644
--- a/website/doc.mdwn
+++ b/website/doc.mdwn
@@ -19,10 +19,12 @@
 
 ## References ##
 
- * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
+ * [OpenSSH](http://openssh.com/)
+ * [GnuPG](http://www.gnupg.org/)
  * [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880)
  * [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252)
    * [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
+ * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
 
 ## Other ##
 
diff --git a/website/download.mdwn b/website/download.mdwn
index 6d5a73f..a5c7479 100644
--- a/website/download.mdwn
+++ b/website/download.mdwn
@@ -75,38 +75,38 @@ For those that would like to download the source directly, [the source
 is available](/community) via [git](http://git.or.cz/).
 
 The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.21.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.22.orig.tar.gz)
 is also available, and has these checksums:
 
 <pre>
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.21 release:
+checksums for the monkeysphere 0.22 release:
 
 MD5:
-15fe181983565aca0fbe4c41f9f6752e  monkeysphere_0.21.orig.tar.gz
+2bb00c86323409b98aff53f94d9ce0a6  monkeysphere_0.22.orig.tar.gz
 
 SHA1:
-27e915a45cdbe50a139ed4f4b13746b17c165b0f  monkeysphere_0.21.orig.tar.gz
+312882ad192b8e7303e3e0ac9db20ac8ddc529b3  monkeysphere_0.22.orig.tar.gz
 
 SHA256:
-1535c3f722f5f5c1646a4981efef4a262ac7b23bf4b980c9aee11af2600eedc2  monkeysphere_0.21.orig.tar.gz
+2566facda807a67a4d2d6de3833cccfa0b78b454909e8d25f47a235a9e621b24  monkeysphere_0.22.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSR8+7BjmZ/HrivMUAQLeKg/+JT4LCXBR/06p/w2KBd1MKqch5Qf2ryIo
-mxCTWtZRgVQSeOFUJ5SXX+Tfs7VZfkV5HuahUH3NmGC6EMhYyB2olwBOOoIAqEKw
-1zVyn49bowCee+gTc3QHyT0Eqgt2ARtzl3/VrHkiw2MaJN3IZXseovyL8ksnEu+u
-s8fq26imtBrrucIxp4ZtHUw/h/YrJohHcJ8QQN5/UWFLug4C4aRFmnzL+oCySxAa
-0au/zFxxRZE5pMhLUvRwwCwPFx2CGBz6y9lAOiDPhhUqh+Bf7JKWJzk35Dj5Tm+2
-lCIzYtfpBkuF9ehCrm8WYF5aFg+gto8Bc6IJci9J6h2npBYIG0IbWOknMZz3+Ti2
-c3EltlJjK0LKEHujDYjf9tkNAxbBdtlYuw8x925ILeK7n8xX0Jr1TDzPyAIYaogv
-IVqsgnvQ489K8k06173kyrPaetyvOlU3bN1zcPdqTyCD6+eBbeCeKXO4324C8iMF
-rQPW4HScOdIidqFuzHyIT7PoY4DwWMgeAVymRSEufifvRcdCvQdlC4MaxxVf5I8A
-ATkD3CrY+5NZeERAGbmlu7Uz+sUk5tLUH0Q2qvjZUIQRctfr4BMheuBubsLR9yP3
-FZ4Q4kl34eU/WU7NtTmIFy7gDhLSIoeQINfYZlNEXQ7Y/RZUOEwoPI/spAXgw6De
-Xpsw0wPZtcM=
-=JDaA
+iQIVAwUBSTCiPRjmZ/HrivMUAQLg/BAAsdLsCQYSmvYLrYy1HiARtZOckqSOFv5e
+lnoOYEXKCXVjKqYUn4gjOkP2kQlnEOazfXrT/pO4u0AKUbf3C8bPDpIeao8uuPXI
+GG6HOWtsY93a2g8DM9fOzadIwhhBc9U7VwizBwFsxMw6xFTIKfoqqQonfEYFFLb6
+zyJVcfhmmGjgoJ9qA3AlYAf/i3Y/fcXh+YMI5J3Gez3BTVcep41UlcQUyd33pHF6
+aHdSWCzrotFual3fbf0meQewbBCW3JRBsbmCHQltbO/kNrtyfXb3Rp4oLiffcmpI
+DhfpFeonVHnUI9CVHmL7qbnBsgu5Q8l8Fxzu5pyzrGJxlvqBCpG8JM2FI0jJxw6o
+LQkmXCHteYKyopqKz5X0ATCot2Eoc9+kNEHwNWI37XbY7AV1XOOzGiaMjl+w8aUR
+QM8+Gi0h7SU2KuEogIsq1TghsDp3BJpTyBnc72ttLt2BvMzANOJnM8cmQqW8bOpz
+9Jdob+ISKkKG9q0wp61gb+8/f7mZKNtpr2rpRVYyjHgwR5XfbnS+gaD2B1NyG7NY
+yxW7fHpTsuwqcm2ONjZCDpEj0bXM0cL7r8c3J0L5kRCiN05c/KKYTNC70kTwCeQa
+ninihvIJal0Wu3LZxtYmtxuApq3wmc8NPo66C+TC24YGtxxJuZMS1qOlPFIPADIa
+EeBVdDmRbBw=
+=FmCP
 -----END PGP SIGNATURE-----
 </pre>
diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn
index 1c373ac..5c7203d 100644
--- a/website/getting-started-admin.mdwn
+++ b/website/getting-started-admin.mdwn
@@ -2,60 +2,106 @@ Monkeysphere Server Administrator README
 ========================================
 
 As the administrator of an SSH server, you can take advantage of the
-monkeysphere in two ways: you can publish the host key of your machine
-so that your users can have it automatically verified, and you can set
-up your machine to automatically identify connecting users by their
-presence in the OpenPGP web of trust.
+monkeysphere in two ways:
 
+1. you can publish the host key of your machine so that your users can
+have it automatically verified, and
+
+2. you can set up your machine to automatically identify connecting
+users by their presence in the OpenPGP web of trust.
+
+These things are not mutually required, and it is in fact possible to
+do one without the other.  However, it is highly recommend that you at
+least do the first.  Even if you decide that you do not want to use
+the monkeysphere to authenticate users to your system, you should at
+least the host key into the Web of Trust so that your users can be
+sure they're connecting to the correct machine.
+
+
+Monkeysphere for host verification
+==================================
 
 Server host key publication
 ---------------------------
-To generate and publish a server host key:
+
+To begin, you must first generate a server host key:
 
 	# monkeysphere-server gen-key
-	# monkeysphere-server publish-key
 
 This will generate the key for server with the service URI
-(`ssh://server.example.net`).  The server admin should now sign the
-server key so that people in the admin's web of trust can identify the
-server without manual host key checking:
+(`ssh://server.example.net`).  Output the new key information with the
+'show-key' command:
+
+	# monkeysphere-server show-key
+
+Once the key has been generated, it needs to be publish to the Web of
+Trust:
+
+	# monkeysphere-server publish-key
+
+The server admin should now sign the server key so that people in the
+admin's web of trust can identify the server without manual host key
+checking.  On your (the admin's) local machine retrieve the host key:
 
 	$ gpg --search '=ssh://server.example.net'
+
+Now sign the server key:
+
 	$ gpg --sign-key '=ssh://server.example.net'
 
+Make sure you compare the fingerprint of the retrieved with the one
+output with the 'show-key' command above, to verify you are signing
+the correct key.  Finally, publish your signatures back to the
+keyservers:
+
+	$ gpg --send-key '=ssh://server.example.net'
 
 Update OpenSSH configuration files
 ----------------------------------
 
 To use the newly-generated host key for ssh connections, put the
-following line in `/etc/ssh/sshd_config` (be sure to remove references
-to any other keys):
+following line in `/etc/ssh/sshd_config` (be sure to comment out or
+remove any other HostKey references):
 
 	HostKey /var/lib/monkeysphere/ssh_host_rsa_key
 
-FIXME: should we just suggest symlinks in the filesystem here instead?
+FIXME: What about DSA host keys?  The SSH RFC seems to require
+implementations support DSA, though OpenSSH will work without a DSA
+host key.
 
-FIXME: What about DSA host keys?  The SSH RFC seems to require implementations support DSA, though OpenSSH will work without a DSA host key.
 
-To enable users to use the monkeysphere to authenticate using the
-OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again,
-making sure that no other AuthorizedKeysFile directive exists):
+Monkeysphere for user authentication
+====================================
 
-	AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+A host can maintain ssh `authorized_keys` files automatically for its
+users with the Monkeysphere.  These `authorized_keys` files can then
+be used to enable users to use the monkeysphere to authenticate to
+your machine using the OpenPGP web of trust.
+
+Before this can happen, the host must first have a host key to use for
+user key verification.  If you have not already generated a host key
+(as in the host verification instructions above), generate one now:
+
+	# monkeysphere-server gen-key
 
-And then read the section below about how to ensure these files are
-maintained.  You'll need to restart `sshd` to have your changes take
-effect.  As with any change to `sshd_config`, be sure to retain an
-existing session to the machine while you test your changes so you
-don't get locked out.
+Update OpenSSH configuration files
+----------------------------------
+
+SSH must be configured to point to the monkeysphere generated
+`authorized_keys` file.  Add this line to `/etc/ssh/sshd_config`
+(again, making sure that no other AuthorizedKeysFile directive is left
+uncommented):
 
+	AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+
+You'll need to restart `sshd` to have your changes take effect.  As
+with any change to `sshd_config`, be sure to retain an existing
+session to the machine while you test your changes so you don't get
+locked out.
 
 Monkeysphere authorized_keys maintenance
 ----------------------------------------
 
-A host can maintain ssh authorized_keys files automatically for its
-users with the Monkeysphere.
-
 For each user account on the server, the userids of people authorized
 to log into that account would be placed in:
 
@@ -72,12 +118,12 @@ If the admin's OpenPGP keyid is `$GPGID`, then on the server run:
 
 	# monkeysphere-server add-identity-certifier $GPGID
 
-To update the monkeysphere authorized_keys file for user "bob" using
+To update the monkeysphere `authorized_keys` file for user "bob" using
 the current set of identity certifiers, run:
 
 	# monkeysphere-server update-users bob
 
-To update the monkeysphere authorized_keys file for all users on the
+To update the monkeysphere `authorized_keys` file for all users on the
 the system, run the same command with no arguments:
 
 	# monkeysphere-server update-users
diff --git a/website/index.mdwn b/website/index.mdwn
index 2e756ae..4abeea0 100644
--- a/website/index.mdwn
+++ b/website/index.mdwn
@@ -69,12 +69,11 @@ To emphasize: ***no modifications to SSH are required to use the
 Monkeysphere***.  OpenSSH can be used as is; completely unpatched and
 "out of the box".
 
-## Links ##
+## License ##
 
-* [OpenSSH](http://openssh.com/)
-* [GnuPG](http://www.gnupg.org/)
-* [Secure Shell Authentication Protocol RFC 4252](http://tools.ietf.org/html/rfc4252)
-* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880)
+All Monkeysphere software is copyright, 2007, by [the
+authors](community), and released under [GPL, version 3 or
+later](http://www.gnu.org/licenses/gpl-3.0.html).
 
 ----
 
diff --git a/website/local.css b/website/local.css
index c4b59e9..de0f196 100644
--- a/website/local.css
+++ b/website/local.css
@@ -58,31 +58,31 @@ pre {
   overflow: auto;
 }
 
-table.sitenav { 
+table.sitenav {
   border-bottom: 2px solid black;
   padding: 0px;
   width: 100%;
   font-size: larger;
 }
 
-table.sitenav img.logo { 
-  margin: 0px; 
-  padding: 0px; 
+table.sitenav img.logo {
+  margin: 0em;
+  padding: 0px;
   vertical-align: bottom;
 }
 
+table.sitenav img.title {
+  margin: 0px;
+  padding: 0px;
+  vertical-align: top;
+}
+
 table.sitenav a { 
   font-weight: bold;
   margin-right: 1em;
   font-size: smaller;
 }
 
-/* trying to align the sitenav links roughly with the text in the monkeysphere logo */
-td#sitenav { 
-  vertical-align: bottom;
-  padding-bottom: 30px;
-}
-
 table.sitenav span.selflink { 
   font-weight: bold;
   text-decoration: underline;
diff --git a/website/logo.simple.png b/website/logo.simple.png
new file mode 100644
index 0000000..5cc69eb
--- /dev/null
+++ b/website/logo.simple.png
diff --git a/website/logo.title.png b/website/logo.title.png
new file mode 100644
index 0000000..a203f8b
--- /dev/null
+++ b/website/logo.title.png
diff --git a/website/news/Monkeysphere-in-Debian.mdwn b/website/news/Monkeysphere-in-Debian.mdwn
new file mode 100644
index 0000000..edad432
--- /dev/null
+++ b/website/news/Monkeysphere-in-Debian.mdwn
@@ -0,0 +1,15 @@
+[[meta title="Monkeysphere now in Debian!"]]
+
+[The Monkeysphere has made it into
+Debian!](http://packages.debian.org/sid/monkeysphere)
+
+It is in Debian unstable ("sid") now, which means it won't make it
+into the next stable release ("lenny"), but hopefully will make it
+into the stable release after that ("squeeze").
+
+Congratulations to all the work by all the [monkeysphere
+developers](/community), and to Micah Anderson for being our Debian
+sponsor.
+
+Please feel free to start submitting bug reports to the [Debian
+BTS](http://bugs.debian.org/monkeysphere).
diff --git a/website/news/release-0.22-1.mdwn b/website/news/release-0.22-1.mdwn
new file mode 100644
index 0000000..078b605
--- /dev/null
+++ b/website/news/release-0.22-1.mdwn
@@ -0,0 +1,25 @@
+[[meta title="Monkeysphere 0.22-1 released!"]]
+
+Monkeysphere 0.22-1 has been released.  
+
+Notes from the changelog:
+
+<pre>
+  * New upstream release:
+  [ Jameson Graef Rollins ]
+
+    - added info log output when a new key is added to known_hosts file.
+    - added some useful output to the ssh-proxycommand for "marginal"
+      cases where keys are found for host but do not have full validity.
+    - force ssh-keygen to read from stdin to get ssh key fingerprint.
+
+  [ Daniel Kahn Gillmor ]
+
+    - automatically output two copies of the host's public key: one
+    standard ssh public key file, and the other a minimal OpenPGP key with
+    just the latest valid self-sig.
+    - debian/control: corrected alternate dependency from procfile to
+    procmail (which provides /usr/bin/lockfile)
+</pre>
+
+[[Download]] it now!
diff --git a/website/sidebar.mdwn b/website/sidebar.mdwn
index fe21fc5..4783d2a 100644
--- a/website/sidebar.mdwn
+++ b/website/sidebar.mdwn
@@ -1,13 +1,19 @@
 <table class="sitenav" cellpadding="0" cellspacing="0">
-<tbody><tr><td>
-<a class="logo" href="/"><img class="logo" src="/logo.png" alt="monkeysphere" width="343" height="85" /></a>
-</td><td id="sitenav">
-
+<colgroup span="1" width="120" />
+<tr>
+<td rowspan="2"><a href="/"><img class="logo" src="/logo.simple.png" alt="monkeysphere" /></a></td>
+<td><a href="/"><img class="title" src="/logo.title.png" alt="monkeysphere" /></a></td>
+</tr><tr>
+<td>
 [[WHY?|why]]
 [[DOWNLOAD|download]]
 [[DOCUMENTATION|doc]] 
 [[NEWS|news]]
 [[COMMUNITY|community]]
-[[BUGS|bugs]]
+<a href="https://labs.riseup.net/code/wiki/monkeysphere">WIKI</a>
+<a href="https://labs.riseup.net/code/projects/monkeysphere/issues">BUGS</a>
+[[VISION|vision]]
+</td>
+</tr>
+</table>
 
-</td></tr></tbody></table>
diff --git a/website/vision.mdwn b/website/vision.mdwn
new file mode 100644
index 0000000..281bc72
--- /dev/null
+++ b/website/vision.mdwn
@@ -0,0 +1,31 @@
+[[meta title="Our vision for the future of the monkeysphere"]]
+
+## External Validation Agent ##
+
+This is probably at the crux of the Monkeysphere vision for the future:
+
+* [Simon Josefsson proposed out-of-process certificate verification model in gnutls-devel](http://news.gmane.org/find-root.php?group=gmane.comp.encryption.gpg.gnutls.devel&article=3231)
+* [Werner Koch's dirmngr](http://www.gnupg.org/documentation/manuals/dirmngr/)
+* [GnuTLS wiki external validation](http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation)
+* [Pathfinder PKI validation](http://code.google.com/p/pathfinder-pki/) (includes validation plugins for OpenSSL and LibNSS).
+
+## TLS transition strategies ##
+
+While [RFC 5081](http://tools.ietf.org/html/rfc5081) is quite a while
+off from widespread adoption, it would be good to have an interim
+translation step.  This is analogous to the SSH work we've done, where
+the on-the-wire protocol remains the same, but the keys themselves are
+looked up in the OpenPGP WoT.
+
+Firefox extensions that deal with certificate validation seem to be
+the easiest path toward demonstrating this technique.  We should look
+at:
+
+* [SSL Blacklist](http://codefromthe70s.org/sslblacklist.aspx)
+* [Perspectives](http://www.cs.cmu.edu/~perspectives/firefox.html)
+* there is another firefox extension that basically disables all TLS certificate checking.  The download page says things like "this is a bad idea" and "do not install this extension", but i'm unable to find it at the moment.
+
+## Related discussions ##
+
+* [Wandering Thoughts blog discussion about Web of Trust flaws](http://utcc.utoronto.ca/~cks/space/blog/tech/WebOfTrustFlaws?showcomments)
+* [Wandering Thoughts blog discussion about certificate authorities](http://utcc.utoronto.ca/~cks/space/blog/web/SSLCANeed?showcomments)