From 2f9fe93b98ed32b662212899db6ba2174c1138d3 Mon Sep 17 00:00:00 2001 From: Matthew James Goins Date: Sat, 20 Mar 2010 15:07:30 -0400 Subject: Removed docs and website. They will now reside (for my repo) at git://lair.fifthhorseman.net/~mjgoins/monkeysphere.info/ --- doc/ExternalValidation.html | 232 ------------------------- doc/MonkeySpec | 81 --------- doc/TODO | 51 ------ doc/announcement.html | 56 ------ doc/artwork/Makefile | 2 - doc/artwork/Monkey.svg | 52 ------ doc/artwork/logo.svg | 117 ------------- doc/conferences/lca2010/abstract | 65 ------- doc/conferences/lca2010/bio | 23 --- doc/conferences/lca2010/experience | 26 --- doc/conferences/lca2010/outline | 62 ------- doc/conferences/lca2010/techrequirements | 1 - doc/conferences/lca2010/title | 1 - doc/conferences/lca2010/videoabstract | 1 - doc/conferences/seminar/abstract | 17 -- doc/conferences/seminar/outline | 43 ----- doc/george/changelog | 281 ------------------------------- doc/george/host-key-publication | 28 --- doc/george/keyserver-local | 24 --- doc/george/policy | 33 ---- doc/george/user-id-configuration | 40 ----- doc/ikiwiki.setup.sample | 29 ---- doc/zimmermann/changelog | 71 -------- doc/zimmermann/https-proxy | 14 -- doc/zimmermann/index.html | 73 -------- 25 files changed, 1423 deletions(-) delete mode 100644 doc/ExternalValidation.html delete mode 100644 doc/MonkeySpec delete mode 100644 doc/TODO delete mode 100644 doc/announcement.html delete mode 100644 doc/artwork/Makefile delete mode 100644 doc/artwork/Monkey.svg delete mode 100644 doc/artwork/logo.svg delete mode 100644 doc/conferences/lca2010/abstract delete mode 100644 doc/conferences/lca2010/bio delete mode 100644 doc/conferences/lca2010/experience delete mode 100644 doc/conferences/lca2010/outline delete mode 100644 doc/conferences/lca2010/techrequirements delete mode 100644 doc/conferences/lca2010/title delete mode 100644 doc/conferences/lca2010/videoabstract delete mode 100644 doc/conferences/seminar/abstract delete mode 100644 doc/conferences/seminar/outline delete mode 100644 doc/george/changelog delete mode 100644 doc/george/host-key-publication delete mode 100644 doc/george/keyserver-local delete mode 100644 doc/george/policy delete mode 100644 doc/george/user-id-configuration delete mode 100644 doc/ikiwiki.setup.sample delete mode 100644 doc/zimmermann/changelog delete mode 100644 doc/zimmermann/https-proxy delete mode 100644 doc/zimmermann/index.html (limited to 'doc') diff --git a/doc/ExternalValidation.html b/doc/ExternalValidation.html deleted file mode 100644 index d176957..0000000 --- a/doc/ExternalValidation.html +++ /dev/null @@ -1,232 +0,0 @@ - -
This is Google's cache of http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation. It is a snapshot of the page as it appeared on Dec 15, 2008 14:31:48 GMT. The current page could have changed in the meantime. Learn more

Text-only version
-
These terms only appear in links pointing to this page: http redmine josefsson org wiki gnutls gnutlsexternalvalidation  
- - - -GnuTLS - GnuTLSExternalValidation - Redmine - - - - - - - - - - - - - - - - - -
- - - - -
- - -
- - -
- - - - - - - - -History -
- - - - - -
-

GnuTLSExternalValidation

- - -

This page is intended to flesh out ideas to externalize the X.509 chain validation, X.509 private key handling, and possibly also OpenPGP validation and private key handling.

- - -

It is important to realize that these are different problems, so the solution may be different. Let's first make the goals clear:

- - -
    -
  • Make it possible to store private keys in a process different from the process that runs the GnuTLS client/server.
    • -
  • Make it possible to perform X.509 chain validation in a different process.
    • -
  • Make it possible to perform OpenPGP key validation in a different process.
    • -
- - -

One must decide whether the external agent should be responsible for making authentication decisions, authorization decisions, or both. Possibly it should be able to make both kind of decisions. The GnuTLS process can always make further authorization decisions as well.

- - -

For private keys, there is the PKCS#11 interface. GnuTLS has a branch that supports it. However, PKCS#11 doesn't solve the problem with an external process. It seems better to move the PKCS#11 interface to the external agent, rather than adding PKCS#11 interface to GnuTLS itself. Btw, GnuTLS already has PKCS#11 support on a special branch, and has been tested against the Scute PKCS#11 provider together with a Swedish eID X.509 smartcard.

- - -

The solution should allow simple integration with GNOME components such as SeaHorse.

- - -

Private key protocol

- - -

Possible we should re-use GnuPG's external protocol here? What we need is an IPC protocol that does:

- - - 
SIGN [ALG] [KEY-ID] [TLS-DATA]
- - -

Where KEY-ID somehow denotes a key to use, and TLS-DATA is the data that needs to be signed using the TLS algorithm. Given that TLS supports several algorithms, and even RSA is supported in more than one mode, there needs to be an ALG flag to indicate this.

- - -

X.509 Chain Validation

- - -

GnuPG's dirmngr has a protocol for doing this, using assuan. Unfortunately, assuan's design criteria state "no protection against DoS needed". This might make it unsuitable for a TLS implementation or other online tool.

- - -

It is not clear to me whether the trusted CAs should be sent over the IPC, or whether it is something that is assumed to be known by the agent. The latter seems safer, but the former may be useful in some scenarios. (what scenarios?) They aren't mutually incompatible, so maybe we can support both.

- - -

Thus we need a command to send over a trusted certificate:

- - - 
TRUSTED [b64pem...]
- - -

And also send over untrusted certificates provided by the TLS peer:

- - - 
UNTRUSTED [b64pem...]
- - -

Finally, a request to perform chain validation on a particular certificate is performed using:

- - - 
VALIDATE [b64pem...]
- - -

Generic Certificate Validation

- - -

It would be nice to be able to hand the agent any kind of certificate (OpenPGP or X.509), or even to be able to hand the agent a raw public key to see if it validates.

- - -

The crucial request would be:

- - - 
VALIDATE {LABEL} {CERTTYPE} {PEERNAME} {CERTIFICATE}
- - -

This says "I'm a program called LABEL. I'm about to send you a certificate of type CERTTYPE. I want you to tell me whether the specified PEERNAME matches one of the names stored in the certificate, and that the matching name in the certificate is cryptographically valid based on your knowledge of trusted certifiers."

- - -

The agent can respond with VALID or INVALID. We maybe should consider whether INVALID might be implemented as an extensible set of reasons for invalidity (e.g. EXPIRED, NOMATCH, UNTRUSTED, SELFSIGNED, etc): would the potential extensibility from this outweigh the added implementation and semantic complexity?

- - -

The possible options for CERTTYPE could be:

- - - - - -

This would allow numerous clients and servers to make use of the validation agent. For example:

- - -
    -
  • lsh could feed its fetched host keys to the validation agent instead of having to maintain ~/.lsh/host-acls
    • -
  • slapd could use the validation agent to identify the DN of the remote client.
    • -
  • subversion could ask the validation agent to ensure that the OpenPGP certificate offered by a remote https server (using mod_gnutls) is in fact who it claims to be (and the mod_gnutls could validate the identity of the client in the same way).
    • -
- - -

Additionally, it might be nice to have a command to offer intermediate certificates to the certificate store:

- - - 
UNTRUSTED {LABEL} {CERTTYPE} {CERTIFICATE}
- - -

using UNTRUSTED with a RAWPUBKEY certificate wouldn't be a meaningful operation, but it could be used for intermediate X.509 certificates, or for the equivalent OpenPGP certificates (if such things were handy).

-
- - - - - - -

-Also available in: -HTML -TXT -

- - - - - - - -
-
- - - - -
- - - diff --git a/doc/MonkeySpec b/doc/MonkeySpec deleted file mode 100644 index 66f44b0..0000000 --- a/doc/MonkeySpec +++ /dev/null @@ -1,81 +0,0 @@ -THE MONKEYSPHERE -================ - -Monkeysphere is authentication layer that allows the sysadmin to -perform authorization on OpenPGP user identities instead of on keys. -It also allows end users to authenticate/identify the ssh server they -are connecting to by checking the sysadmin's certification. - -* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH -* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without - modifying the openpgp spec, gpg or openssh -* DESIGN GOALS - authentication, use the existing generic OpenSSH - client, the admin can make it default, although end-user should be - decide to use monkeysphere or not -* DESIGN GOAL - use of monkeysphere should not radically change - connecting-to-server experience - -Host identity piece of monkeysphere could be used without buying into -the user authentication component. - - -USE CASE -======== - -Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob -Backstory: http://www.conceptlabs.co.uk/alicebob.html - -Bob wants to sign on to the computer "mangabey.example.org" via -monkeysphere framework. He doesn't yet have access to the machine, -but he knows Alice, who is the admin of mangabey. Alice and Bob, -being the conscientious netizens that they are, have already published -their personal gpg keys to the web of trust, and being good friends, -have both signed each other's keys and marked each others keys with -"full" ownertrust. - -When Alice set up mangabey initially, she published an OpenPGP key for -the machine with the special userid of "ssh://mangabey.example.org". -She also signed mangabey's OpenPGP key and published this -certification to commonly-used keyservers. Alice also configured -mangabey to treat her own key with full ownertrust, so that it knows -how to identify connecting users. - -Now, Alice creates a user account "bob" on mangabey, and puts Bob's -userid ("Bob ") in the authorized_user_ids file for -user bob on mangabey. The monkeysphere automatically (via cron or -inotify hook) takes each userid in bob's authorized_user_ids file, and -looks on a keyserver to find all public keys associated with that user -ID, with the goal of populating the authorized_keys file for -bob@mangabey. - -In particular: for each key found, the server evaluates the calculated -validity of the specified user ID based on the ownertrust rules it has -configured ("trust alice's certifications fully", in this example). -For each key for which the user ID in question is fully-valid, it -extracts all DSA- or RSA-based primary or secondary keys marked with -the authentication usage flag, and converts these OpenPGP public keys -into ssh public keys. These keys are automatically placed into the -authorized_keys file for bob. - -Bob now attempts to connect, by firing up a terminal and invoking: -"ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client -notices that mangabey.example.org isn't already available in bob's -known_hosts file, and fetches the host key for mangabey from the -public keyservers, with the goal of populating Bob's local known_hosts -file. - -In particular: the monkeysphere queries its configured keyservers to -find all public keys with User ID ssh://mangabey.example.org. For -each public key found, it checks the relevant User ID's validity, -converts any authentication-capable OpenPGP public keys into ssh -public keys if the User ID validity is acceptable, and finally insert -those keys into Bob's known_hosts file. - -On Bob's side, since mangabey's key had "full" validity (it was signed -by Alice, whom he fully trusts), Bob's ssh client deems mangabey -"known" and no further host key checking is required. - -On mangabey's side, since Bob's key has "full" validity (it had been -signed by Alice, mangabey's trusted administrator), Bob is -authenticated and therefore authorized to log into his account. - diff --git a/doc/TODO b/doc/TODO deleted file mode 100644 index d365ac7..0000000 --- a/doc/TODO +++ /dev/null @@ -1,51 +0,0 @@ -Next-Steps Monkeysphere Projects: ---------------------------------- - -Detail advantages of monkeysphere: detail the race conditions in ssh, - and how the monkeysphere can help you reduce these threat vectors: - threat model reduction diagrams. - -Handle unverified monkeysphere hosts in such a way that they're not - always removed from known_hosts file. Ask user to lsign the host - key? - -Resolve the bugs listed in openpgp2ssh(1):BUGS. - -Understand and document the output of gpg --check-trustdb: - gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model - gpg: depth: 0 valid: 2 signed: 20 trust: 0-, 0q, 0n, 0m, 0f, 2u - gpg: depth: 1 valid: 20 signed: 67 trust: 15-, 0q, 1n, 3m, 1f, 0u - gpg: next trustdb check due at 2008-10-09 - -Understand and document the numeric values between sig! and the keyid - in "gpg --check-sigs $KEYID" . Compare with the details found from - "gpg --with-colons --check-sigs $KEYID". This has to do with trust - signatures. - -Fix gpg's documentation to clarify the difference between validity and - ownertrust. Include better documentation for trust signatures. - -Make it easier to do domain-relative ssh host trust signatures with - gnupg. (e.g. "i trust Jamie McClelland (keyID 76CC057D) to properly - identify ssh servers in the mayfirst.org domain") See: - http://tools.ietf.org/html/rfc4880#section-5.2.3.21 and grep for - "tsign" in gpg(1). - -Fix the order of questions when user does a tsign in gpg or gpg2. - -When using ssh-proxycommand, if only host keys found are expired or - revoked, then output loud warning with prompt, or fail hard. - -File bug against enigmail about lack of ability to create subkeys. - -Test and document what happens when any filesystem that the - monkeysphere-server relies on and modifies (/tmp, /etc, and /var?) - fills up. - -Optimize keyserver access, particularly on monkeysphere-server - update-users -- is there a way to query the keyserver all in a - chunk? - -Think about packaging monkeysphere for other (non-apt-based) operating - systems. RPM-based linux systems, FreeBSD ports, and Mac OS X seem - like the most likely candidates. diff --git a/doc/announcement.html b/doc/announcement.html deleted file mode 100644 index 0dbb249..0000000 --- a/doc/announcement.html +++ /dev/null @@ -1,56 +0,0 @@ - - - - -Announcing the Monkeysphere - - - - - -

Monkeysphere: an OpenPGP-based PKI for SSH

- -

Ever thought that there should be an automated way to handle ssh -keys? Do you know the administrators of your servers, and wish that -SSH could verify new host keys from them automatically, based on your -personal connections to the web-of-trust? Do you wish you could -revoke and/or rotate your old SSH authentication keys without having -to log into every single machine you have an account on?

- -

Do you administer servers, and wish you could re-key them without -sowing massive confusion among your users (or worse, encouraging bad -security habits among them)? Do you wish you could grant access to -your users by name, instead of by opaque string? Do you wish you -could rapidly revoke access to a user (or compromised key) across a -group of machines by disabling authentication for that user?

- -

A group of us have been working on a public key infrastructure for -SSH. Monkeysphere makes use -of the existing OpenPGP web-of-trust to fetch and cryptographically -validate (and revoke!) keys. This works in both direction: -authorized_keys and known_hosts are -handled. Monkeysphere gives users and admins tools to deal with SSH -keys by thinking about the people and machines to whom the keys -belong, instead of requiring humans to do tedious (and error-prone) -manual key verification.

- -

We have debian -packages available which should install against lenny (for i386, -amd64, powerpc, and arm architectures at the moment), a mailing -list, and open ears for good questions, suggestions and -criticism.

- -

If you have a chance to give it a try (as a -user or as an -admin), it would be great to get -feedback.

- - diff --git a/doc/artwork/Makefile b/doc/artwork/Makefile deleted file mode 100644 index b0cb37a..0000000 --- a/doc/artwork/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -logo.png: logo.svg - inkscape -e logo.png logo.svg diff --git a/doc/artwork/Monkey.svg b/doc/artwork/Monkey.svg deleted file mode 100644 index a458809..0000000 --- a/doc/artwork/Monkey.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - image/svg+xml - - - - - - - - diff --git a/doc/artwork/logo.svg b/doc/artwork/logo.svg deleted file mode 100644 index 355ea73..0000000 --- a/doc/artwork/logo.svg +++ /dev/null @@ -1,117 +0,0 @@ - - - - - - - - - - - - - image/svg+xml - - - - - - - - - monkey - sphere - - - diff --git a/doc/conferences/lca2010/abstract b/doc/conferences/lca2010/abstract deleted file mode 100644 index 2770675..0000000 --- a/doc/conferences/lca2010/abstract +++ /dev/null @@ -1,65 +0,0 @@ -The Monkeysphere uses the OpenPGP web of trust to provide a -distributed Public Key Infrastructure (PKI) for users and -administrators of ssh. This talk is about why the Monkeysphere is -useful, how it works, and how you can use it to ease your workload and -automatically fully authenticate people and servers. - -The Secure Shell protocol has offered public-key-based mutual -authentication since its inception, but popular implementations offer -no formalized public key infrastructure. This means there is no -straightforward, computable method to signal re-keying events, key -revocations, or even basic key-to-identity binding (e.g. "host -foo.example.org has key X"). As a result, dealing with host keys is -usually a manual process with the possibility of tedium, room for -error, difficulty of maintenance, or users and administrators simply -ignoring or skipping baseline cryptographic precautions. - -The OpenPGP specification offers a robust public key infrastructure -that has traditionally only been used for e-mail and for encrypted -storage. By its nature, the OpenPGP Web of Trust (WoT) is a -distributed system, with no intrinsic chokepoints or global -authorities. And the global key distribution network provides -commonly-held, public infrastructure for rapid distribution of key -changes, revocations, and identity binding. - -The Monkeysphere mixes the two to provide new functionality for ssh -(key revocation, key expiry, re-keying, fewer unintelligible prompts, -semantic authorization, etc) while taking advantage of existing but -often-unused functionality in OpenPGP. Additionally, the Monkeysphere -implementation does not require any patches to OpenSSH on the client -or server, but takes advantage of existing hooks, which makes it easy -to adopt. - -Specifically, the Monkeysphere allows users to automatically validate -ssh host keys through the Web of Trust, and it allows servers to -identify authorized users through the Web of Trust. Users decide -which certifications in the Web of Trust they put stock in (so they -are not spoofed by spurious certifications of host keys). Server -administrators decide whose certifications the server should put stock -in (so that the server is not spoofed by spurious certifications of -user keys). - -This presentation will go over how the Monkeysphere works; how you can -use it to increase the security of servers you maintain; how you can -use it to increase the security of accounts you connect to with ssh; -and we'll discuss future possibilities lurking in the ideas of the -Monkeysphere. - -Monkeysphere is currently available in the main Debian repository and -as a port in FreeBSD. A Slackbuild is available for Slackware, and -Monkeysphere itself should work on any POSIX-ish system with the -appropriate dependencies available. - -The Monkeysphere project began to coalesce in early 2008, and remains -an ongoing collaboration of many people, including: - - * Micah Anderson - * Mike Castleman - * Daniel Kahn Gillmor - * Ross Glover - * Matthew James Goins - * Greg Lyle - * Jamie McClelland - * Jameson Graef Rollins - -The project's main web site is http://web.monkeysphere.info/ diff --git a/doc/conferences/lca2010/bio b/doc/conferences/lca2010/bio deleted file mode 100644 index f358e02..0000000 --- a/doc/conferences/lca2010/bio +++ /dev/null @@ -1,23 +0,0 @@ -Daniel Kahn Gillmor (dkg) is a freelance Technology Advisor with a -particular interest in cryptography, user interface design, and -distributed systems as means to pursue the goals of user autonomy and -resistance to centralized control. He contributes discussion and -patches on several crypto-related lists, and is an active participant -in what remains of the IETF OpenPGP Working Group. He co-administers -one of the OpenPGP keyservers, and was dubiously involved in -publicizing the ongoing transition to a post-SHA1 Web of Trust. - -dkg works with schools, NGOs, activist groups, and some corporations -to help them understand their tech needs and risks, possible -solutions, and how to use and understand the tools they choose. He -works with several technology-focused organizations, including May -First/People Link (http://mayfirst.org/) and Riseup -(http://riseup.net). - -He is also a contributor to The Organic Internet -(http://mayfirst.org/organicinternet), which includes his essay about -structural flaws in the X.509 certificate model. - -dkg began working with free software in 2002, began work with the -other Monkeysphere developers in 2008, and became a Debian Developer -in 2009. People seem to laugh when they see his business card. diff --git a/doc/conferences/lca2010/experience b/doc/conferences/lca2010/experience deleted file mode 100644 index 8ca2a8e..0000000 --- a/doc/conferences/lca2010/experience +++ /dev/null @@ -1,26 +0,0 @@ -I've given several workshops and skillshares about the ideas behind -OpenPGP and how to use gpg and its various frontends to -small-to-medium groups (5 to 25 people). - -I led an effective skillshare on the nature of X.509-based -certifications and how they are used in SSL and TLS back in 2003 or -2004. - -I co-led a surprisingly large (~>50 people? packed room!) discussion -about free software and why it should matter to users as well as -developers a the Grassroots Media Conference a few years ago with -Alfredo Lopez and Laura Quilter. This was a very active discussion, -and topics ranged from motivation and policy to moderately technical -concerns. - -I presented a poster with a colleague on a novel acoustic correlation -method at ICASSP (the IEEE's International Conference on Acoustics, -Speech, and Signal Processing) 2001 (though i've recently let my IEEE -membership lapse). - -I've introduced numerous people to the monkeysphere via IRC -discussions, and have a strong handle on both: - - * the necessary details to keep a technical audience engaged - - * the bigger-picture goals to keep a non-technical audience engaged diff --git a/doc/conferences/lca2010/outline b/doc/conferences/lca2010/outline deleted file mode 100644 index 15c4868..0000000 --- a/doc/conferences/lca2010/outline +++ /dev/null @@ -1,62 +0,0 @@ - - - -The presentation is in three parts: - -Background ----------- - - * Why authentication using asymmetric crypto (as opposed to shared - secrets) is important on today's network. - - * Overview of how ssh uses asymmetric crypto authentication (user -> - host, host -> user) - - * Overview of relevant bits of OpenPGP (key -> User ID bindings, - certifications, usage flags, key -> subkey bindings) - - * Overview of keyservers (the idea of gossip, One Big Network, - propagation, issues around redundancy, logging, private access) - - -How ---- - - * How does the monkeysphere do it? (very brief under-the-hood) - - * How does a server administrator publish a host's ssh key to the Web - of Trust? How do they maintain it? - - * How does a user incorporate WoT-based host-key checking into their - regular ssh usage? - - * How does a user publish their own ssh identity to the WoT for hosts - to find it? How do they maintain it? - - * How does a server administrator tell a server to admit certain - people (as identified by the WoT) to certain accounts? How do they - tell the server which certifications are trustworthy? - -Possible Futures ----------------- - - * Use the Monkeysphere with ssh implementations other than OpenSSH - (dropbear, lsh, putty, etc) - - * Expansion of the Monkeysphere's out-of-band PKI mechanism for - authentication in protocols other than SSH (TLS, HTTPS) without - protocol modification. - - * Use of OpenPGP certificates directly in SSH. OpenPGP is referenced - in RFC 4253 already: optional, rarely implemented, and deliberately - ambiguous about how to calculate key->identity bindings. - - * Use of OpenPGP certificates for authentication directly in - protocols. RFC 5081 provides a mechanism for OpenPGP certificates - in TLS, but is similarly ambiguous about certificate verification. - - * Better end-user control over verification: Who or what are you - really connecting to? How do you know? How can this information - be effectively and intuitively displayed to a typical user? - - * What would you like to see? diff --git a/doc/conferences/lca2010/techrequirements b/doc/conferences/lca2010/techrequirements deleted file mode 100644 index cc0d1b9..0000000 --- a/doc/conferences/lca2010/techrequirements +++ /dev/null @@ -1 +0,0 @@ -no non-standard technical requirements should be necessary. diff --git a/doc/conferences/lca2010/title b/doc/conferences/lca2010/title deleted file mode 100644 index 36ef904..0000000 --- a/doc/conferences/lca2010/title +++ /dev/null @@ -1 +0,0 @@ -Using the Monkeysphere: effective, distributed key management for SSH using the Web of Trust diff --git a/doc/conferences/lca2010/videoabstract b/doc/conferences/lca2010/videoabstract deleted file mode 100644 index 7e1536c..0000000 --- a/doc/conferences/lca2010/videoabstract +++ /dev/null @@ -1 +0,0 @@ -do we have something like this? diff --git a/doc/conferences/seminar/abstract b/doc/conferences/seminar/abstract deleted file mode 100644 index 83fddfc..0000000 --- a/doc/conferences/seminar/abstract +++ /dev/null @@ -1,17 +0,0 @@ -Monkeysphere provides a robust, decentralized, out-of-band Public Key -Infrastructure (PKI) based on OpenPGP's Web of Trust. It is intended -to support any protocol which needs public-key authentication or -binding between public keys and real-world entities. Current -implementations include mutual authentication (both server and client) -for SSH and authentication of servers for HTTPS. The technique is -resistant to X.509's inherent single-issuer policy bias, allows use of -a single key for a host offering multiple services, and handles -initial contact, re-keying, and revocation better than OpenSSH's -traditional key continuity management (KCM) scheme. It also requires -no changes to on-the-wire protocols, and is transparently -interoperable with existing tools, so the migration path to the new -PKI is smooth (and encouraged). Discussion will include the merits -and drawbacks of the Monkeysphere, as well as its relationship to -in-band measures (such as the Server Name Indication (SNI) TLS -extension and the subjectAltName (sAN) extended attribute for X.509v3 -certificates) which provide some pieces of similar functionality. diff --git a/doc/conferences/seminar/outline b/doc/conferences/seminar/outline deleted file mode 100644 index 1531353..0000000 --- a/doc/conferences/seminar/outline +++ /dev/null @@ -1,43 +0,0 @@ -outline for 1 hr seminar talk to CS/security academics - - - key-based authentication is here to stay. (e.g. https, ssh). - - host vs. user - - - raises key management/distribution issues - - - what PKIs are available? X.509, OpenPGP, SPKI - - - social vulnerabilities - single-signer vs. multi-signer - - - protocol vulnerabilities - single cert vs. multi-cert (server - vs. client again) - - - utility for group-internal work, phased approach to public - - - -Stream-based communications over the public network have an -authentication problem. Most data streams are not authenticated in -either direction, and most of those that are authenticated in at least -one direction use authentication regimes which suffer from a range of -known structural problems. - -Public-key-based authentication offers security advantages over -shared-secret approaches, but it introduces additional questions of -key distribution, binding, and revocation. Two common solutions to -these problems on today's network are X.509 certificates (used by TLS -connections like HTTPS) and so-called "key continuity management" -(KCM) (used by popular SSH implementations and the "security -exceptions" interface for some web browsers). Both of these schemes -present security concerns of their own: KCM has trouble with initial -contact, key revocation, and re-keying; and X.509's single-issuer -certificate format has a systemic bias that selects for unaccountable -third-party authorities. New work ("the Monkeysphere") extends the -OpenPGP Web of Trust into authenticating stream-based communications -(instead of its traditional message-based environment of e-mails and -files) by means of a protocol-independent overlay. As a simple, -alternative PKI, the Monkeysphere resolves these failings, and also -provides features currently only available as protocol extensions -(such as SNI). - - diff --git a/doc/george/changelog b/doc/george/changelog deleted file mode 100644 index ffb7cb0..0000000 --- a/doc/george/changelog +++ /dev/null @@ -1,281 +0,0 @@ -****************************************************************************** -* * -* george system log * -* * -****************************************************************************** -* Please add new entries in reverse chronological order whenever you make * -* changes to this system (first command at top, last at bottom) * -****************************************************************************** -2010-03-09 - micah - * setup /srv/micah.monkeysphere.info - * replaced /etc/mathopd.conf virtual for daniel with one for me - * removed /srv/daniel.monkeysphere.info - not used - -2010-03-08 - mjgoins - * Adding self to webmaster's authorized_user_ids - * updating ikiwiki to use the version from lenny backports - * changing the ikiwki markup to be appropriate for version 3.2xxx - -2010-02-23 - dkg - * add lenny-backports repo. - * remove monkeysphere repo. - * aptitude update && aptitude full-upgrade (including monkeysphere - 0.28-1~bpo50+1, and backported gpg) - -2010-01-12 - dkg - * aptitude update && aptitude full-upgrade (including monkeysphere - 0.27-1) - -2009-10-26 - dkg - * upgrade nginx in response to DSA-1920-1 - -2009-09-14 - dkg - * aptitude update && aptitude full-upgrade (bunch of lenny - updates, plus ikiwiki security upgrade) - -2009-04-21 - jrollins - * apt-get update && dist-upgrade (a bunch of stuff (monkeysphere, - screen, gnupg, dash, onak, git-core...) - * extended host key by 3 months - -2009-04-21 - micah - * aptitude update && aptitude full-upgrade (git-core DSA) - -2009-04-12 - dkg - * aptitude update && aptitude full-upgrade - * (checked and found that monkeysphere version 0.24-1 is already - installed; don't know how that happened, coulda been me, just - sloppy about not noting it in the changelog) - * extended host key by 4 months - -2009-02-22 - jrollins - * fixed /etc/crontab line for update-users (was trying to run - monkeysphere-server instead of monkeysphere-authentication). - -2009-02-21 - dkg - * upgraded to the latest versions of packages for lenny. - * upgraded george to monkeysphere 0.23.1. the transition upgrade - failed due to the way that gpg exports self-signatures secret - keys; it only exports the first self-sig for each user id, even if - that one is expired. Then any subsequent import fails, even if - the target import keyring knows about some valid self-signatures. - * i man-handled the upgrade into place so that george doesn't just - fail on us, but this is a pretty major bug in the transition process. - -2009-01-31 - jrollins - * applied diff represented in commit - f75a5747a8b99e04c02c475791c476f1fbd2b674 to change log level for - unacceptable untranslatable keys. - -2009-01-30 - micah - * Replaced nullmailer with postfix, nullmailer doesn't handle aliases - and insisted either on constantly respooling mail when there was no - where to go. - -2009-01-24 - micah - * Configured /etc/aliases to have root go to mjgoins, micah, dkg, jrollins - * Configured /etc/nullmailer/remotes to have mail.riseup.net so remote delivery will work - * Removed the hundreds of queued cron emails that had resulted in 30gig of mail.err logs - * Rotated the giant logs out - -2009-01-11 - dkg - * extended the expiration date for george's key three months into - the future. - * aptitude update && aptitude full-upgrade (brings monkeysphere to - 0.22-1) - -2008-10-29 - dkg - * aptitude update && aptitude full-upgrade - * brought monkeysphere up to 0.19-1 - * removed tasksel - -2008-10-25 - dkg - * aptitude update && aptitude full-upgrade - * brought monkeysphere up to 0.16-1 - * repointed keyserver usage to pool.sks-keyservers.net - -2008-09-04 - dkg - * added two mime-type declarations in /etc/mathopd.conf so .debs - and .tar.gz files come out reasonably; restarted mathopd for the - re-read. - * built monkeyshell (from src/monkeyshell) and installed as - /usr/local/bin/monkeyshell, added to /etc/shells. - * created new account "monkey" which has monkeyshell as the shell - for non-privileged test access. To let someone test this out, - make sure they're well-connected to george's web of trust, and - then add their User ID to - ~monkey/.monkeysphere/authorized_user_ids - * more mime types for mathopd: image/png image/x-icon - -2008-09-03 - micah - * migrated /home/*/.config/monkeysphere/authorized_user_ids to new - agreed location: /home/*/.monkeysphere/authorized_user_ids and created - a symlink in the original location for transition purposes. Also, - did /root's as well. I used this hackish mechanism: - $ for user in `find . -wholename './*/.config/monkeysphere/authorized_user_ids' \ - | cut -d/ -f2`; do mkdir -v ${user}/.monkeysphere; chown ${user}:${user} \ - ${user}/.monkeysphere; mv -v ${user}/.config/monkeysphere/authorized_user_ids \ - ${user}/.monkeysphere; ln -s /home/${user}/.monkeysphere/authorized_user_ids \ - ${user}/.config/monkeysphere/authorized_user_ids; done - - - dkg - * added the monkeysphere archive repository signing key - * aptitude update && aptitude full-upgrade (brings in monkeysphere 0.13-1) - * cleaned up /etc/skel to reflect correct location of the - monkeysphere config directory. - * micah moved all the existing config stuff over, and left - symlinks so people aren't disoriented. - -2008-09-01 - dkg - * set up http://dkg.monkeysphere.info so that i could play around - with ikiwiki updates - * moved apt repository over to http://archive.monkeysphere.info/ - * aptitude update && aptitude dist-upgrade - * canonicalizing hostname for normal web access to - http://web.monkeysphere.info - -2008-08-26 - dkg - * aptitude update && aptitude full-upgrade - * added account 'daniel' for Dan Scott, and set him up with a way - to publish to http://daniel.monkeysphere.info - -2008-08-20 - dkg - * aptitude update && aptitude dist-upgrade: this includes - monkeysphere 0.11-1 and OpenSSH 5.1p1-2 - -2008-08-18 - dkg - * moved monkeysphere apt repo entry to - /etc/apt/sources.list.d/monkeysphere.list - * aptitude update && aptitude full-upgrade (including monkeysphere - 0.9-1) - * switched george's monkeysphere-server preferred keyserver to - monkeysphere.info for the moment. Both pgp.mit.edu and - subkeys.pgp.net are sluggish right now :/ - -2008-08-16 - jrollins - * removed stale branches from jrollins from the master repo - * aptitude update && aptitude full-upgrade - * restarted services to clear up dependencies on old libraries - -2008-08-13 - dkg - * aptitude update && aptitude full-upgrade - * restarted services to clear up dependencies on old libraries - -2008-08-07 - dkg - * aptitude update && aptitude dist-upgrade - * removed debian's experimental from the sources.list - * removed experimental stanza from /etc/apt/preferences (now the - monkeysphere packages should upgrade automatically) - * upgraded to monkeysphere 0.7-1 - * installed runit - * set up a public git daemon service to serve git repos from - george, using runit. (root-served repos are served from - /srv/git, but ~USER/public_git is supported as well, if anyone - wants to use that for publication). - -2008-08-03 - dkg - * aptitude update && aptitude dist-upgrade - * installed iproute - * added my User ID to ~webmaster/.config/monkeysphere/authorized_user_ids - -2008-08-02 - jrollins - * aptitude update && aptitude dist-upgrade - * restarted cron, nullmailer, sshd - * aptitude install git-core ikiwiki - * adduser webmaster - * su - webmaster - * created a bare repo at ~webmaster/monkeysphere.git. I then - pushed into this repo from my working directory on servo to verify - that it was accepting. - * cloned above repo at ~webmaster/monkeysphere - * created ~webmaster/ikiwiki.setup - * ikiwiki --setup ikiwiki.setup - * linked post-receive to new post-commit hook in monkeysphere.git - * changed default keyserver to be pgp.mit.edu (subkeys.pgp.net - blows) - * updated /etc/skel with ssh and monkeysphere stuff - * made authorzied_user_ids file for webmaster and ran - "monkeysphere-server u webmaster". - -2008-06-23 - dkg - * added monkeysphere apt repository to /etc/apt/sources.list - * added dkg's key to apt's list of trusted keys. - * ran aptitude dist-upgrade - * upgraded to monkeysphere 0.2-1 - * moved authorized_user_ids files into users' home directories. - * installed lockfile-progs - -2008-06-22 - dkg - * installed screen (mjgoins and i were collaborating) - -2008-06-21 - micah - * Restored /etc/init.d/ssh to original package state and changed - /etc/default/ssh to have 'unset SSHD_OOM_ADJUST' instead. - -2008-06-20 - micah - * Commented out the 'export SSHD_OOM_ADJUST=-17' from the - /etc/init.d/ssh initscript, and the 'SSHD_OOM_ADJUST=-17' from - /etc/default/ssh in order to make this error go away: - "error writing /proc/self/oom_adj: Operation not permitted" - (c.f. Debian #487325) - -2008-06-20 - dkg - * touched /etc/environment to get rid of some spurious auth.log - entries. - * turned up sshd's LogLevel from INFO to DEBUG - -2008-06-19 - dkg - * installed rsync (for maintaining a public apt repo) - - * configured mathopd to listen on port 80, serving /srv/www as / - and /srv/apt as /debian. We've got nothing in /srv/www at the - moment, though. - - * installed lsof and psmisc as sysadmin utilities. sorry for the - bloat! - - * installed strace to try to figure out why onak is segfaulting. - -2008-06-19 - dkg - * removed etch sources, switched "testing" to "lenny", added - lenny/updates, removed all contrib and non-free. - - * removed testing pin in /etc/apt/preferences - * ran the upgrade - - * reset emacs22 to emacs22-nox (avoiding dependencies) - - * removed sysklog and klogd because of errors restarting klogd. - Installed syslog-ng in their stead, which still gives errors - related to /proc/kmsg unreadability, but the install completes :/ - - * added experimental - * juggled pinning: experimental: 1, unstable: 2 - * added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf - - * installed monkeysphere v0.1-1, changed host key, published - them via the local keyserver (see host-key-publication) - - * added local unprivileged user accounts for everyone listed in - /usr/share/doc/monkeysphere/copyright - - * configured authorized_user_ids for every user account based on - my best guess at their OpenPGP User ID (see - user-id-configuration). - - * set up a cronjob (in /etc/crontab) to run "monkeysphere-server - update-users" at 26 minutes past the hour. - -2008-06-18 - jrollins - * installed less, emacs; - * aptitude update && aptitude dist-upgrade - -2008-06-18 - micah - * debootstrap'd debian etch install - * installed /etc/apt/sources.list with local proxy sources for etch, - testing, unstable, backports and volatile - * configured /etc/apt/preferences and apt.conf.d/local-conf to - pin etch, but make testing, sid and backports available - * added backports.org apt-key - * installed openssh-server and openssh-client packages - * added dkg, jrollins, mjgoins ssh public_keys to /root/.ssh/authorized_keys diff --git a/doc/george/host-key-publication b/doc/george/host-key-publication deleted file mode 100644 index 03e2510..0000000 --- a/doc/george/host-key-publication +++ /dev/null @@ -1,28 +0,0 @@ -2008-06-19 02:34:57-0400 ------------------------- - -Adding george's host key to the monkeysphere was more complicated than -it needed to be. - -As the server admin, i did (accepting the defaults where possible): - - monkeysphere-server gen-key - KEYID=$(GNUPGHOME=/etc/monkeysphere/gnupg gpg --with-colons --list-key =ssh://$(hostname --fqdn) | grep ^pub: | cut -f5 -d:) - (umask 077 && GNUPGHOME=/etc/monkeysphere/gnupg gpg --export-secret-key $KEYID | openpgp2ssh $KEYID >/etc/monkeysphere/ssh_host_rsa_key) - # modify /etc/ssh/sshd_config to remove old host keys lines, and - # add new line: HostKey /etc/monkeysphere/ssh_host_rsa_key - /etc/init.d/ssh restart - - KEYSERVER=george.riseup.net monkeysphere-server publish-key - # (needed to publish by hand here because of reasonable sanity checks) - monkeysphere-server show-fingerprint - - # then from a remote host: - gpg --keyserver george.riseup.net --search =ssh://george.riseup.net - gpg --fingerprint --sign-key =ssh://george.riseup.net - KEYID=$(gpg --with-colons --list-key =ssh://george.riseup.net | grep ^pub: | cut -f5 -d:) - gpg --keyserver george.riseup.net --send "$KEYID" - gpg --keyserver george.riseup.net --send "$MYGPGID" - - -How could this have been streamlined? diff --git a/doc/george/keyserver-local b/doc/george/keyserver-local deleted file mode 100644 index 7d532cf..0000000 --- a/doc/george/keyserver-local +++ /dev/null @@ -1,24 +0,0 @@ -Wed Jun 25 02:03:39 EDT 2008 matt goins - -On Saturday (2008-6-22) dkg and I set up sks as a replacement for onak. onak -had proven to be unstable, mostly in that it tended to corrupt its own database -beyond repair. - -The sks instructions want the admin to download many huge dumps of keys from -the world's keyservers (on the order of 5 GiB?), so we imported a dump -containing only my key. We learned that sks won't start with an empty database, -unlike onak. - -2008-06-25: Locally exported george's key to its keyserver. Tried a remote -send-keys of squash's key and it appears to work. - - -TODO: - - * Get some more keys in there. - - * Read up on syncing with other keyservers. - - - - diff --git a/doc/george/policy b/doc/george/policy deleted file mode 100644 index a17a310..0000000 --- a/doc/george/policy +++ /dev/null @@ -1,33 +0,0 @@ -Policy for maintaining george.riseup.net ----------------------------------------- - -Riseup graciously provided the MonkeySphere project with a vserver for -testing and public documentation. This is known as george.riseup.net, -for those who are curious about the MonkeySphere. - -george will be maintained as a debian lenny machine, with minimal -packages from experimental as needed for installing and running what -we build elsewhere. - -george will host 3 public-facing services: an ssh daemon on port 22, -an http service on port 80, and an OpenPGP keyserver (the HKP -protocol) on port 11371. - -Administration of george is a shared responsibility across the core -members of the MonkeySphere development team. Administrators will log -changes in their git repositories, in doc/george/changelog (a peer of -this policy file). - -monkeysphere packages installed on george will use unique, tagged -version numbers so we know what we're running. - -We will try to keep the installation as minimal as possible while -still allowing for comfortable day-to-day administration. - -We will use aptitude for package management where possible. - -Outstanding questions: - -Who should have superuser access? - -Who should get regular user accounts? diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration deleted file mode 100644 index 9a7f4d2..0000000 --- a/doc/george/user-id-configuration +++ /dev/null @@ -1,40 +0,0 @@ -2008-06-19 03:00:58-0400 ------------------------- - -setting up authorized_user_id configuration on george was also more -cumbersome than it needs to be. Here's what i (dkg) did: - -monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 - -monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor ' -monkeysphere-server update-user-userids jrollins 'Jameson Rollins ' -monkeysphere-server update-user-userids micah 'Micah Anderson ' -monkeysphere-server update-user-userids mjgoins 'Matthew Goins ' -monkeysphere-server update-user-userids ross 'Ross Glover ' -monkeysphere-server update-user-userids jamie 'Jamie McClelland ' -monkeysphere-server update-user-userids mlcastle 'mike castleman ' -monkeysphere-server update-user-userids enw 'Elliot Winard ' -monkeysphere-server update-user-userids greg 'Greg Lyle ' - - -then i added a scheduled: - - monkeysphere-server update-users - -to run hourly via /etc/crontab - -and made sure that root's keys were working with a temporary symlink -(see TODO about that business) - -and then modified /etc/ssh/sshd_config with: - - AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u - - -Some outstanding questions: - - * Should we ship a scheduled monkeysphere-server update-users cron - job automatically? - - * why was i not prompted to confirm the trust-keys line, which seems - like the most delicate/sensitive line of all of them? diff --git a/doc/ikiwiki.setup.sample b/doc/ikiwiki.setup.sample deleted file mode 100644 index 97e77c8..0000000 --- a/doc/ikiwiki.setup.sample +++ /dev/null @@ -1,29 +0,0 @@ -use IkiWiki::Setup::Standard { - wikiname => "Monkeysphere", - adminemail => 'webmaster@monkeysphere.info', - - srcdir => "/path/to/cloned/monkeysphere/repo/website", - destdir => "/path/to/web/dir", - - url => "http://monkeysphere.info", - - rcs => "git", - - wrappers => [ - { - wrapper => "/path/to/post-receive/hook", - wrappermode => "0755", - } - ], - - rss => 1, - atom => 1, - verbose => 0, - syslog => 0, - - add_plugins => [qw{goodstuff favicon toc sidebar}], - - - tagbase => "tags", - -} diff --git a/doc/zimmermann/changelog b/doc/zimmermann/changelog deleted file mode 100644 index f3e8171..0000000 --- a/doc/zimmermann/changelog +++ /dev/null @@ -1,71 +0,0 @@ -****************************************************************************** -* * -* zimmermann system log * -* * -****************************************************************************** -* Please add new entries in reverse chronological order whenever you make * -* changes to this system (first command at top, last at bottom) * -****************************************************************************** - -2010-03-10 - micah - * Updated /etc/monkeysphere/*.conf to use zimmermann - for the keyserver - -2010-03-09 - dkg - * transferred the https://z.m.o key from /root/.gnupg into the - monkeysphere-host keyring with: - - gpg --export-secret-keys | GNUPGHOME=/var/lib/monkeysphere/host gpg --import - - * used undocumented "monkeysphere-host update-pgp-pub-file" to - refresh the output of m-h s. - -2010-02-19 - dkg - * upgraded to monkeysphere 0.28-1~bpo50+1 (includes gnupg from - backports.org) - -2010-02-?? - dkg - * manually created an OpenPGP certificate for zimmermann's https - RSA key, stored in /root/.gnupg; published it to the keyserver - network, certified it myself. - -2008-11-29 - dkg - * zimmermann now uses an X.509 certificate signed by the MF/PL CA - for its HTTPS connection. - -2008-11-19 - dkg - * added 10 SKS peers as a result of feedback from sks-devel. - * set localtime to America/New_York via dpkg-reconfigure tzdata - * aptitude update && aptitude full-upgrade - * set up /var/lib/sks/www/index.html based on - doc/zimmermann/index.html from this repo. - * made nginx proxy plain ol' HTTP on port 80 also so that SKS does - not need to try to listen on a privileged port. - * turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf - -2008-11-19 - mlc - * aptitude install nginx - * get rid of /etc/nginx/sites-enabled/default - * create /etc/nginx/sites-available/https-proxy and make a symlink - to it in the sites-enabled directory - * invoke-rc.d nginx start - -2008-11-17 - micah - * verified the SHA256 values for the key material - * /usr/lib/sks/sks_build.sh (chose option #2: normalbuild) - * chown -R debian-sks:debian-sks /var/lib/sks - * edit /etc/default/sks to enable the initscript - * /etc/init.d/sks start - * rm -rf /var/lib/sks/dump - -2008-11-15 - micah - * aptitude update && aptitude full-upgrade - * aptitude install sks - * cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \ - http://nynex.net/keydump/ -e robots=off - * install monkeysphere 0.21-2 package - * apt-get install bzip2 ; bunzip2 /var/lib/sks/dump/*.bz2 - -2008-11-15 - jamie - * aptitude install esmtp-run mailx - * edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org diff --git a/doc/zimmermann/https-proxy b/doc/zimmermann/https-proxy deleted file mode 100644 index c4521a7..0000000 --- a/doc/zimmermann/https-proxy +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 443; - server_name zimmermann.mayfirst.org; - ssl on; - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; - ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - ssl_ciphers HIGH:MEDIUM:!ADH; - - access_log off; - - location / { - proxy_pass http://localhost:11371/; - } -} diff --git a/doc/zimmermann/index.html b/doc/zimmermann/index.html deleted file mode 100644 index e8e36e0..0000000 --- a/doc/zimmermann/index.html +++ /dev/null @@ -1,73 +0,0 @@ - - - - SKS Search Page - - - - -

SKS OpenPGP Keyserver
@zimmermann.mayfirst.org

-

SKS is a OpenPGP keyserver whose goal is to provide easy to deploy, decentralized, and highly reliable synchronization. That means that a key submitted to one SKS server will quickly be distributed to all key servers, and even wildly out-of-date servers, or servers that experience spotty connectivity, can fully synchronize with rest of the system.

-

You can find out more about SKS, along with links to graphs of the network status here.

- - - - - - - - - - - -
-

Extract a key

-

You can extract a key by typing in some words that appear in the userid - of the key you're looking for, or by typing in the keyid in hex format ("0x...")

-

-

- Search String:
- Show PGP "fingerprints" for keys -
- Show SKS full-key hashes -
- Search for keys:
- get index of matching keys
- get verbose index of matching keys
- retrieve ascii-armored keys
- retrieve keys by full-key hash -
- - -
-
-
-

Submit a key

- You can submit a key by simply pasting in the ASCII-armored version - of your key and clicking on submit. -
-
- - -
-
-

- Access -

- To use this server directly via HKP add this to your .PGP keyserver list:
- -
x-hkp://zimmermann.mayfirst.org
-http://zimmermann.mayfirst.org:11371
- - You can also select a random server by adding this to your keyserver list:
- -
x-hkp://pool.sks-keyservers.net
-http://pool.sks-keyservers.net:11371
- -
- -
- [Server Status] If you have any questions - about or problems with this server, please open a ticket. - - -- cgit v1.2.3