The Monkeysphere Validation Agent (msva)

Networked programs tend to encounter public keys offered by remote entities. These programs need some way to ensure that the public key in question actually belongs to the expected remote entity.

The Monkeysphere Validation Agent (msva) is a daemon that provides a simple interface for any program to check the validity of an offered public key (or cryptographic certificate).

How to install

On recent Debian or Debian-derived systems, you should be able to install a functional msva with:

# aptitude install monkeysphere-validation-agent

Please see the download page for more info and for instructions for other distributions.

On other systems, we currently recommend porting msva-perl. Please let us know if you're working on this!

How to use

If you are using debian or debian-derived systems with monkeysphere version 0.29-1 or later, you can ensure that an msva runs for your entire X11 session by setting USE_VALIDATION_AGENT to true in your monkeysphere.conf. For example:

$ mkdir -p ~/.monkeysphere
$ echo 'USE_VALIDATION_AGENT=true' >> ~/.monkeysphere/monkeysphere.conf

Then log out, log back in, and the agent will be available.

If you'd like to use msva independently of this mechanism, please read the monkeysphere-validation-agent(1) man page.

Rationale

The Monkeysphere Validation Agent offers a local service for systems to validate certificates (both X.509 and OpenPGP) and other public keys in their proper contexts.

Among other reasons, having a validation agent is a good thing because:

  • Multiple tools can rely on the same PKI (e.g. the user's web browser and the user's ssh client).
  • A single validation agent can present a consistent UI to the user (when used in an end-user context), or provide a unified trust model to various services (when used in a server-side context).
  • Authentication/certificate validation code can potentially be isolated to a protected environment.

How it works

msva is a minimalistic web server bound to the loopback interface that accepts (and returns) JSON objects. Compatible tools are made aware of the agent (and how to find it) with the MONKEYSPHERE_VALIDATION_AGENT_SOCKET environment variable.

You might also be interested in details about the messages passed between the agent and its clients.

The general pattern of user/system workflow for msva was modeled after ssh-agent, a very effective and minimalistic cryptographic agent. The hope is that the two agents can be used in a compatible manner.

Developing for the msva

If you are writing a client that needs to validate certificates or public keys, you might want to read about how to develop clients to use the msva.