The Monkeysphere Project
The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.
This also enhances these tools by adding the possibility for key transitions, transitive identifications, revocations, and expirations of public keys1. It also actively invites broader participation in the OpenPGP web of trust.
For the Web
Everyone who has used a web browser has been interrupted by the "Are you sure you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.
Frequent users of ssh are familiar with the prompt given the first time you log in to a new server, asking if you want to trust the server's key by verifying the key fingerprint. Unfortunately, unless you have access to the server's key fingerprint through a secure out-of-band channel, there is no way to verify that the fingerprint you are presented with is in fact that of the server you're really trying to connect to.
OpenSSH currently provides a functional way to
manage the RSA and DSA keys required for these interactions through
authorized_keys files. However, it lacks any
type of Public Key Infrastructure
can verify that the keys being used really are the one required or
Monkeysphere uses GnuPG's keyring manipulation capabilities and public keyserver communication to manage the keys that OpenSSH uses for connection authentication.
To emphasize: no modifications to SSH are required to use the Monkeysphere. OpenSSH can be used as is; completely unpatched and "out of the box".
For key signing
Monkeysphere people have also improved significantly the key signing workflow using the monkeysign package.