Provided by: monkeysphere_0.37-3_all bug

NAME
       monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust


DESCRIPTION
       Monkeysphere  is  a  framework  to  leverage  the  OpenPGP  web  of  trust  for OpenSSH and TLS key-based
       authentication.  OpenPGP keys are tracked via GnuPG, and added to  the  authorized_keys  and  known_hosts
       files used by OpenSSH for connection authentication.  Monkeysphere can also be used by a validation agent
       to validate TLS connections (e.g. https).


IDENTITY CERTIFIERS
       Each  host  that  uses the Monkeysphere to authenticate its remote users needs some way to determine that
       those users are who they claim to be.  SSH permits key-based authentication, but we want instead to  bind
       authenticators  to  human-comprehensible user identities.  This switch from raw keys to User IDs makes it
       possible for administrators to see intuitively who has access to an account,  and  it  also  enables  end
       users  to  transition  keys  (and  revoke compromised ones) automatically across all Monkeysphere-enabled
       hosts.  The User IDs and certifications that the Monkeysphere relies on are found in the OpenPGP  Web  of
       Trust.

       However,  in  order to establish this binding, each host must know whose cerifications to trust.  Someone
       who a host trusts to certify User Identities is called an Identity Certifier.  A host must have at  least
       one  Identity Certifier in order to bind User IDs to keys.  Commonly, every ID Certifier would be trusted
       by the host to fully identify any User ID, but  more  nuanced  approaches  are  possible  as  well.   For
       example,  a  given  host could specify a dozen ID certifiers, but assign them all "marginal" trust.  Then
       any given User ID would need to be certified in the OpenPGP Web of Trust  by  at  least  three  of  those
       certifiers.

       It  is  also  possible to limit the scope of trust for a given ID Certifier to a particular domain.  That
       is, a host can be configured to fully (or marginally) trust a particular  ID  Certifier  only  when  they
       certify identities within, say, example.org (based on the e-mail address in the User ID).


KEY ACCEPTABILITY
       The  monkeysphere  commands  work  from  a  set  of user IDs to determine acceptable keys for ssh and TLS
       authentication.  OpenPGP keys are considered acceptable if the following criteria are met:

       capability
              The key must have the `authentication' (`a') usage flag set.

       validity
              The key itself must be valid, i.e. it must be well-formed, not expired, and not revoked.

       certification
              The relevant user ID must be signed by a trusted identity certifier.


HOST IDENTIFICATION
       The OpenPGP keys for hosts have associated `service names` (OpenPGP user  IDs)  that  are  based  on  URI
       specifications for the service.  Some examples:

       ssh:   ssh://host.example.com[:port]

       https: https://host.example.com[:port]


AUTHOR
       Written by: Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>


SEE ALSO
       monkeysphere(1),  monkeysphere-host(8),  monkeysphere-authentication(8),  openpgp2ssh(1), pem2openpgp(1),
       gpg(1),                            http://tools.ietf.org/html/rfc4880,                            ssh(1),
       http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/

monkeysphere                                       March 2010                                    MONKEYSPHERE(7)