Improve front page documentation

[daveschaefer]

Let's copyedit the explanation of how the CA model works and how Perspectives is different, so it's easy for non-technical people to understand. Some diagrams would go a long way towards helping explain this. Perhaps we can use something like http://www.gliffy.com/ and create a Creative Commons diagram? That would be useful for the internal help docs too.

[ghost]

For now we could just take the diagrams from the presentations.

[ghost]

Public-Key-Infrastructure, Man-In-The-Middle-Attacks and Perspectives protection explained in three sketches:

[ghost]

1. Situation

• Say Alice wants to communicate securely with Bob.
• Bob therefore generates a private key and a public lock but only sends the lock to Alice.
• Alice however doesn't know how the lock should look like and asks a certificate authority (CA), one of several hundreds delivered with Mozilla Firefox.
• If the locks match, Alice locks up her package and securely sends her love letter to Bob.
• Because Bob never gave away his private key he is the only one able to open the package.

2. Problem

• The problem is that Alice doesn't know what Bob's lock should look like.
• A so called man-in-the-middle attacker could therefore interfere with their communication and send a fake lock to Alice.
• Alice again tries to ask a certificate authority (CA) but the attacker just replies that everything is alright.
• Poor Alice locks up her package and sends it to Bob without knowing that someone eavesdrop their communication.
• The attacker is not even able to open her package but also send a hate letter to Bob.
• Even though their connection was in fact encrypted the attacker could listen to and change their communication because nobody knew who they were actually talking to.

3. Perspectives

• Perspectives protects against this problem by running several so called notary servers.
• A notary server asks Bob over and over again about how his lock looks like and logs the result.
• When Alice receives Bob's lock she also asks the Perspectives notary servers.
• If the notary servers agree on how Bob's lock looks like the communication is secure otherwise something is fishy.

Update 2014-10-31: I tested this with some technical and non-technical people and all-in-all they said it should be split into more diagrams explaining each step. I also made a mistake when drawing these diagrams. The browsers doesn't actually connect and request from an authority, instead the signature of the received certificate is checked against the local public keys.

[daveschaefer]

Thanks for running some user tests Gerold, that is fantastic :)

We should also put all of the text from the perspectives-project.org site into a github repo so we can have revision history on it. That makes sure it is backed up as well.

[ghost]

Some more explanations on mailing list - notaries API specification and the talk on Convergence.

[daveschaefer]

@lambdor Yes, thanks for your summaries in that thread Gerold, that is fantastic.