diff options
Diffstat (limited to 'website')
-rw-r--r-- | website/index.mdwn | 89 |
1 files changed, 52 insertions, 37 deletions
diff --git a/website/index.mdwn b/website/index.mdwn index ecb4183..f7f9c06 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,11 +1,41 @@ -The Monkeysphere project's goal is to extend the web of trust model and other -features of OpenPGP to other areas of the Internet to help us securely identify -each other while we work online. +Monkeysphere is a framework to leverage the OpenPGP web of trust for +OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added +to the authorized\_keys and known\_hosts files used by OpenSSH for +connection authentication. [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] ## Conceptual overview ## +[OpenSSH](http://openssh.com/) provides a functional way for +management of explicit RSA and DSA keys (without any type of [Public +Key Infrastructure +(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The +basic idea of this project is to create a framework that uses +[GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and +public keyservers to generate files that OpenSSH will accept and +handle as intended. This offers users of OpenSSH an effective PKI, +including the possibility for key transitions, transitive +identifications, revocations, and expirations. It also actively +invites broader participation in the +[OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of +trust](http://en.wikipedia.org/wiki/Web_of_trust). + +Under the Monkeysphere, both parties to an OpenSSH connection (client +and server) have a responsibility to explicitly designate who they +trust to certify the identity of the other party. This trust +designation is explicitly indicated with traditional GPG keyring trust +model. No modification is made to the SSH protocol on the wire (it +continues to use raw RSA public keys), and it should work with +unpatched OpenSSH software. + +Monkeysphere does not modify ssh in any way, and ssh can be used "out +of the box". Monkeysphere is a set of tools that manages keys in the +known\_hosts and authorized\_keys files that ssh uses for connection +authentication. + +## Philosophy ## + Humans (and [monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html)) have innate capacity to keep track of the identity of a finite number @@ -16,11 +46,12 @@ point, we can't know for sure that the person we ran into in the produce aisle really is the same person who we met at the party last week. -For most of us, this limitation has not posed much of a problem in our daily, -off-line lives. With the Internet, however, we have an ability to interact -with vastly larger numbers of people than we had before. In addition, on the -Internet we lose many of our tricks for remembering and identifying people -(physical characteristics, sound of the voice, etc.). +For most of us, this limitation has not posed much of a problem in our +daily, off-line lives. With the Internet, however, we have an ability +to interact with vastly larger numbers of people than we had +before. In addition, on the Internet we lose many of our tricks for +remembering and identifying people (physical characteristics, sound of +the voice, etc.). Fortunately, with online communications we have easy access to tools that can help us navigate these problems. @@ -30,42 +61,26 @@ messagess) is one such tool. In its simplest form, it allows us to sign our communication in such a way that the recipient can verify the sender. -OpenPGP goes beyond this simple use to implement a feature known as the [web of -trust](http://en.wikipedia.org/wiki/Web_of_trust). The web of trust -allows people who have never met in person to communicate with a reasonable -degree of certainty that they are who they say they are. It works like this: -Person A trusts Person B. Person B verifies Person C's identity. Then, Person -A can verify Person C's identity. +OpenPGP goes beyond this simple use to implement a feature known as +the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web +of trust allows people who have never met in person to communicate +with a reasonable degree of certainty that they are who they say they +are. It works like this: Person A trusts Person B. Person B verifies +Person C's identity. Then, Person A can verify Person C's identity. -The Monkeyshpere's goal is to extend the use of OpenPGP from email -communications to other activities, such as: +The Monkeyshpere's broader goals are to extend the use of OpenPGP from +email communications to other activities, such as: * conclusively identifying the remote server in a remote login session * granting access to servers to people we've never directly met -## Technical Details ## - -The project's first goal is to integrate with -[OpenSSH](http://openssh.com/). +## Links ## -OpenSSH provides a functional way for management of explicit RSA and -DSA keys (without any type of [Public Key Infrastructure -(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The -basic idea of this project is to create a framework that uses GPG's -keyring manipulation capabilities and public keyservers to generate -files that OpenSSH will accept and handle as intended. This offers -users of OpenSSH an effective PKI, including the possibility for key -transitions, transitive identifications, revocations, and expirations. -It also actively invites broader participation in the OpenPGP Web of -Trust. +* [OpenSSH](http://openssh.com/) +* [GnuPG](http://www.gnupg.org/) +* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880) +* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/) -Under the Monkeysphere, both parties to an OpenSSH connection (client -and server) have a responsibility to explicitly designate who they -trust to certify the identity of the other party. This trust -designation is explicitly indicated with traditional GPG keyring trust -model. No modification is made to the SSH protocol on the wire (it -continues to use raw RSA public keys), and it should work with -unpatched OpenSSH software. ---- |