Resurrecting the Monkeysphere 🐒
John Scott
jscott at posteo.net
Sat Aug 12 07:56:17 CEST 2023
Hi GnuPG-ers,
I'm bringing back to life the Monkeysphere project which has fizzled upstream. I love the concept and am willing to rewrite major components and, more importantly, provide guides and integrations to make the experiment successful.
What is the Monkeyspherian way of doing things, you may ask? Monkeysphere is all about taking an OpenPGP key and using it in other public key cryptosystems. This has the benefit that the OpenPGP PKI can be leveraged. GnuPG already supports this concept somewhat, allowing you to use the raw public key in OpenPGP keys for X.509 certificates and OpenSSH.
I want to push the concept further. Imagine this: the same raw public key from an OpenPGP key being used for TLS. Without having to do anything, solely because the keys are the same, you automatically have proof that the owner of the OpenPGP key has control over the TLS service! If you ask me, I think DANE is the future for most ordinary TLS needs, but the Monkeysphere can be used with it to prove that the person you know as "John Scott" actually controls the service as opposed to mere domain validation. The best part is that this doesn't require using the TLS for raw public keys extension, although that would be a good hint to a client that they should check their OpenPGP key stores: an ordinary X.509 certificate-using TLS service may well still use the same raw public key as an OpenPGP key, so we have full backwards compatibility and interoperability with existing clients!
Another example I want to experiment with is using the same raw public key from OpenPGP key for a Tor onion service. This would prove that an individual controls an onion service. Or since DNSSEC is unavailable, we could take OpenPGP keys with a Tor onion service component in its user ID, or the same with an X.509 certificate, and automatically mark it as trusted if the Curve25519 key used for the OpenPGP/X.509 key material matches what the onion hostname is supposed to use.
I hope the possibilities excite some folks! Please let me know if you are interested in helping or if you have any public experimental services.
Sincerely,
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230812/aaebff63/attachment.sig>
More information about the Gnupg-users
mailing list