Resurrecting the Monkeysphere 🐒

John Scott jscott at posteo.net
Sun Aug 13 05:06:49 CEST 2023 

On Sat, 2023-08-12 at 21:47 -0500, Jacob Bachmeyer wrote:
> Will there be support for importing, say, a Tor onion service keypair onto an OpenPGP certificate as a subkey?
That is one of the first things I plan to work on.

> Or, perhaps more practically, importing an existing OpenSSH keypair as an OpenPGP subkey?
That too is a priority. I've got a lot to learn especially when it comes to RFC 4880 (OpenPGP), but I'll make it happen.

On the contrary, Monkeysphere has previously had an emphasis on using OpenPGP keys for hostname verification for SSH, which I think is not worthy of effort since that's what DNSSEC and DANE are for. Unless someone can make a good argument, I will be dropping this from the scope of the project.

Anywho, you made some good arguments why excessive key reuse might be a bad thing. That's why thinking of things in terms of subkeys is absolutely the way to go, so you can have as many as you want to diversify risk, but have them all under your master key umbrella.

Some things will be harder than others to attain. For example, GnuPG already makes it pretty easy to go from OpenPGP to OpenSSH, X.509 to OpenPGP, and OpenPGP to X.509, and so transitively X.509 to OpenSSH. I just now deployed a new TLS certificate for johnscott.me that uses an OpenPGP subkey I just added. It's still an X.509 certificate, still signed by Let's Encrypt, and still has DANE (TLSA) records published, so it's fully compatible with the conventional way of doing things.

Monkeysphere will be more than just tooling; it'll also be documentation, so I can share how I pulled that off. It will also be plugins and hooks into existing applications and widely-deployed libraries. A priority will be libcurl. libcurl is very versatile and allows registering callback functions so you can do your own TLS certificate examination for example, so making a library of procedures that has functions for common Monkeyspherian use cases shouldn't be too hard.

In fact, I want to show off that I'm now using an OpenPGP subkey for TLS on johnscott.me as of a few minutes ago, so I'm motivated to make a libcurl demo happen in the next few days.

As always, thank you for your interest.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230813/2d9fb648/attachment.sig>

More information about the Gnupg-users mailing list