The Monkeysphere uses the OpenPGP web of trust to provide a
distributed Public Key Infrastructure (PKI) for users and
administrators of ssh.  This talk is about why the Monkeysphere is
useful, how it works, and how you can use it to ease your workload and
automatically fully authenticate people and servers.

The Secure Shell protocol has offered public-key-based mutual
authentication since its inception, but popular implementations offer
no formalized public key infrastructure.  This means there is no
straightforward, computable method to signal re-keying events, key
revocations, or even basic key-to-identity binding (e.g. "host
foo.example.org has key X").  As a result, dealing with host keys is
usually a manual process with the possibility of tedium, room for
error, difficulty of maintenance, or users and administrators simply
ignoring or skipping baseline cryptographic precautions.

The OpenPGP specification offers a robust public key infrastructure
that has traditionally only been used for e-mail and for encrypted
storage.  By its nature, the OpenPGP Web of Trust (WoT) is a
distributed system, with no intrinsic chokepoints or global
authorities.  And the global key distribution network provides
commonly-held, public infrastructure for rapid distribution of key
changes, revocations, and identity binding.

The Monkeysphere mixes the two to provide new functionality for ssh
(key revocation, key expiry, re-keying, fewer unintelligible prompts,
semantic authorization, etc) while taking advantage of existing but
often-unused functionality in OpenPGP.  Additionally, the Monkeysphere
implementation does not require any patches to OpenSSH on the client
or server, but takes advantage of existing hooks, which makes it easy
to adopt.

Specifically, the Monkeysphere allows users to automatically validate
ssh host keys through the Web of Trust, and it allows servers to
identify authorized users through the Web of Trust.  Users decide
which certifications in the Web of Trust they put stock in (so they
are not spoofed by spurious certifications of host keys).  Server
administrators decide whose certifications the server should put stock
in (so that the server is not spoofed by spurious certifications of
user keys).

This presentation will go over how the Monkeysphere works; how you can
use it to increase the security of servers you maintain; how you can
use it to increase the security of accounts you connect to with ssh;
and we'll discuss future possibilities lurking in the ideas of the
Monkeysphere.

Monkeysphere is currently available in the main Debian repository and
as a port in FreeBSD.  A Slackbuild is available for Slackware, and
Monkeysphere itself should work on any POSIX-ish system with the
appropriate dependencies available.

The Monkeysphere project began to coalesce in early 2008, and remains
an ongoing collaboration of many people, including:

 * Micah Anderson
 * Mike Castleman
 * Daniel Kahn Gillmor
 * Ross Glover
 * Matthew James Goins
 * Greg Lyle
 * Jamie McClelland
 * Jameson Graef Rollins

The project's main web site is http://web.monkeysphere.info/