The Monkeysphere Project

The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.

This also enhances these tools by adding the possibility for key transitions, transitive identifications, revocations, and expirations of public keys1. It also actively invites broader participation in the OpenPGP web of trust.

For the Web

Everyone who has used a web browser has been interrupted by the "Are you sure you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.

Read more on Monkeysphere for the Web

For OpenSSH

Frequent users of ssh are familiar with the prompt given the first time you log in to a new server, asking if you want to trust the server's key by verifying the key fingerprint. Unfortunately, unless you have access to the server's key fingerprint through a secure out-of-band channel, there is no way to verify that the fingerprint you are presented with is in fact that of the server you're really trying to connect to.

OpenSSH currently provides a functional way to manage the RSA and DSA keys required for these interactions through the known_hosts and authorized_keys files. However, it lacks any type of Public Key Infrastructure (PKI) that can verify that the keys being used really are the one required or expected.

Monkeysphere uses GnuPG's keyring manipulation capabilities and public keyserver communication to manage the keys that OpenSSH uses for connection authentication.

To emphasize: no modifications to SSH are required to use the Monkeysphere. OpenSSH can be used as is; completely unpatched and "out of the box".

Get started with Monkeysphere for OpenSSH

For key signing

Monkeysphere people have also improved significantly the key signing workflow using the monkeysign package.