►
From YouTube: CNCF Notary v2 Key Management 2020-07-24
Description
CNCF Notary v2 Key Management 2020-07-24
A
B
B
A
A
A
I
think
we
can
get
started.
I
don't
think
anyone
else
is
joining
today.
The
what
I
kind
of
wanted
to
get
done
today
was
go
over
the
pull
request
and
finalize
that
and
marco,
I
think,
you've
already
taken
a
look
at
it.
Justin
have
you
had
a
chance
to
review
it
and
come
up
with
some
comments
or
feedback.
D
A
D
D
D
D
Yeah-
and
I
don't
know
how
relevant
this
is,
but
I'm
just
curious
about
one,
a
couple
of
things
that
come
up
when
I
start
to
think
through
them
and
what
they
are
supposed
to
be
trusted
to
do
and
what
they're
supposed
to
not
be
trusted
to
do
more.
Specifically,
because
I
think
in
your
system,
you
want
the
the
publisher
like
someone
who
is
a
publisher,
which
I
noticed,
do
you
have
like
the
publisher,
admin
and
builder
and
signer?
A
D
C
C
C
C
So
that
kind
of
things
and
for
this
we
we
have
this
proof
concept
justin
you.
You
missed
that
as
you
learned
in
in
that
meeting
where
I
gave
the
demo,
but
but
it's
available
open
source,
it
comes
with
it
with
a
small
web
interface
to
to
manage
these
kind
of
things,
but
I
think
in
auto
revv2.
As
far
as
I
can
see
now
in
in
the
design,
this
is
not
not
covered.
A
Well,
I
think,
actually,
if
you
look
at
the
hybrid
signing
use
case
and
then
the
signing
by
build
machines
or
dedicated
machines,
that
does
cover
some
of
that
right,
we're
talking
about
the
administrator,
creating
a
a
root
key
and
then
delegating
access
for
the
the
entity,
that's
essentially
being
designer,
whether
that's
a
developer,
whether
that's
a
build
machine
to
be
able
to
actually
get
delegate
keys
that
change
from
the
root.
So
that's
something
yeah.
I
think
the
coverage.
A
I
think
that's
that's
I
I
can.
I
can
take
elaborating
kind
of
like
who
can
take
on
those
different
roles,
but
I
still
don't
think
we've
answered
justin's
initial
question,
which
was
around:
how
are
we
determining
which
artifacts
we
are
going
to
trust
overall
ray?
I
think
justin
here
the
way
I
was
envisioning
it
is
that
you
know
you're
essentially
like
you
call
that
the
deployer
is
trusting
some
entity
to
say
these
artifacts
are
trusted.
A
These
artifacts
are
okay
to
run,
and
then
it
is
up
to
the
entity,
that's
being
trusted,
in
this
case
the
publisher,
to
kind
of
manage
how
they
say
here
are
here's
here's,
the
ones
where
we
have
signed,
and
we
we.
We
want
our
sort
of
like
consumers
to
say
they
can
trust
us,
and
then
they
have
also
mechanisms
to
say
something
that
we
have
provided.
Trust
us
before
is
no
longer
trusted
right.
D
Obviously
you
know
if
what
we're
supposed
to
be
having
here
is
we're
supposed
to
have
the
the
publishers
and
the
people
at
the
organizations
actually
deciding
what
gets
installed
and
and
what's
trustworthy,
then
than
that
those
are
kind
of
very
different
models
than
one
where
oh
well,
I
just
trust
the
registry,
and-
and
you
know
I
don't
need
to
sign
anything
because
it
comes
from
the
registry.
The
registry
is
a
good
guy
which
isn't
isn't
the
model
that
steve
or
anybody's
proposing.
But
I
think
there's
flavors
of
that
that
creep
in
in
places.
C
I
I
think,
that's
that's
also
what
I
meant
with
we.
We
should
split
more
the
the
the
role
of
the
consumer
and
design
also
also
in
in
the
admin
part
you
have
the
admin
part
where
you
trust
keys,
which
are
derived
from
a
from
a
given
root
or
a
given
intermediate,
where
you
can
white
list.
What
what
is
the
things?
A
Yeah,
I
think
the
part
of
the
goal
here
was
to
completely
remove
the
role
of
the
registry
in
the
trust
components,
and
I
think
that
can
be
addressed
by
adding
in
a
registry
persona
that
says
that
here
are
the
places
where
the
registry
owner,
if
you
will
gets
involved,
what
does
their
role
mean?
What
do
they
add
and
where
are
they
required?
A
A
So
I
think,
if
I
add,
in
a
registry,
persona
and
kind
of
show
the
end-to-end
workflow
of,
like
you,
know,
a
container
being
signed,
getting
uploaded
and
getting
pulled
out
and
deployed
and
show
sort
of
like
what
role
each
persona
has
there.
I
think
that
might
address
some
of
the
concerns
I'm
carrying,
because
I
think
that
is
missing
and
clarity
from
the
the
scenarios
right
now.
D
A
D
A
Yeah,
the
part
of
where
this
comes
in
from
is
in
notary
view.
One
one
of
the
big
concerns
is
if
your
root
is
compromised,
that
root
can
itself
then
be
used
to
rotate
to
a
new
version
of
the
root,
and
so
I
think
separating
out
like
how
you
do
root,
revocation
from
sort
of
like
essentially
other
revocation,
was
one
of
the
areas
that
we
wanted
to
address
in
arabi
too
right
with
roots.
A
D
D
D
D
D
D
A
D
D
A
I
think
what
what
I'm
proposing
here
is
that
the
clients
have
a
mechanism
to
understand
what
the
routes
are,
and
this
is
not
using
the
the
the
keys
that
are
being
used
for
signing
the
containers
and
images
right,
so
this
would
be
kind
of
where
I
think
the
notary
server
morphs
into.
So,
if
you
think
of
notary
server
as
being
like
a
repository
of
keys
that
are
trusted
for
different
entities,
then
you
can
essentially
check
the
notary
service
to
see
what
the
latest
set
of
trusted
routes
are.
A
This
way,
if
someone
wants
to,
like
you
know,
say
like
here's,
a
new
set
of
routes
that
we
want
to
use,
they
can
upload
that
to
notary
server,
and
you
can
your
clients
can
check
that
to
see
what
the
new
set
of
trusted
groups
are.
So
that
allows
you
to
do
group
rotation
without
having
to
use
the
the
root
as
sort
of
like
a
as
an
authentication
mechanism.
If
you
will.
D
A
It
yeah-
I
think
this
is
this-
is
this-
is
something
that
we
can
look
into
more
in
the
design,
but
essentially
what
I'm?
What
I
think
comes
out
of
this
as
a
requirement
is,
we
need
a
component
that
is
telling
you
what
the
latest
routes
to
trust
are
for
any
publish
for
for
a
publisher
without
having
to
use
the
keys
themselves,
as
as
as
mechanisms
for
authentication.
A
So
this
could
be
sort
of
like
you
know
if
you're
saying
like,
I
trust,
let's
say
I
don't
know,
let's
say,
let's
make
up
a
company
if
I
trust
acme,
here's
where
I
know
acnes,
like
keys,
are
published
from,
and
here's
where
I'm
going
to
go
to
get
that
key
information,
because
I
trust
acme
as
a
publisher,
then
anything
that
I
see
signed
with
acme's
key.
I
can
verify
that
they
change
from
their
root.
D
In
many
cases
of
of
sort
of,
like
the
trust
system,
gone
awry,
so
I,
like
you,
know
the
fact
that
you
have
500
certificates
like
for
different
cas.
All
completely
trusted
by
your
browser
is
is,
is
you
know
not
a
not
a
great
situation
given
all
the
digi
noter
and
other
hacks
that
have
happened
in
the
past,
but
but
how
would
you
I
like?
D
I
think
I
need
to
digest
this,
but
to
me
it
feels
like
you're
taking
and
you're
you're,
creating
a
new,
very
trusted
party.
That
is
the
like.
A
third
party.
You
you're,
I
think
the
way
you're
talking
about
this
is
this
is
some.
Is
this
a
server
that
everybody
sets
up
individually?
Every
individual
party
sets
up
a
server
that
has
these
root
keys.
B
A
More
into
sort
of
like
how
that
is
set
up
right,
like
that,
could
be
done
in
a
combination
of
ways
for
for
publishers
that
have
a
strong
notion
of
trust
where
it's
kind
of,
like
you
know,
hey
like.
I
absolutely
want
to
make
sure
that
no
one
else
is
able
to
kind
of
compromise
me
like
have
like
you
know,
like
you
know
like.
A
If
you
have
someone
you
could
set
up
this
yourself
and
then
this
information
yourself
on
the
flip
side
like
if
you
would
want
to
kind
of
go
down
the
ca
model
and
say,
like
you
know,
I
don't
want
to
run
the
server
myself.
You
could
potentially,
like
you
know,
designate
a
third
party
to
establish
and
share
that
trust
for
you
right.
I
think
this
really
goes
up
to
like
each
individual
publisher
determining
what
their
trust
boundary
looks
like.
A
C
So
you
can
basically
build
a
swarm
of
servers
where
this
information
can
be
retrieved
from
so
my
client
only
needs
to
connect
with
my
particular
notary
server
and
then
just
propagates
to
two
different
servers
to
to
retrieve
the
the
information
which
is
not
stored
locally.
So
I'm
more
talking
about
a
distributed
model
where
you
see
nowadays,
a
lot
of
things
are
moving
into
these.
These
distributed
models
where
the
information
is
not
on
one
server
but
where
it's
just
spread
across
the
cloud
or
the
internet.
A
That
presents
some
risk
in
the
sense
that
if
you
have
a
distributed
model
of
trust
where
this
information
is
propagating
through
whenever
you're
doing
a
rotation,
you
also
need
to
kind
of
make
sure
that
it's
going
through
in
a
reliable
manner
to
all
of
the
all
of
the
distributed
hosts
and
things
like
that.
Right,
yeah.
A
So
I
think,
having
a
central
server
makes
more
sense
in
the
sense
in
time
in
terms
of
making
sure
that,
if
you
in
in
this
in
the
regards
secure
rotation
or
vacation,
there's
a
central
authority
that
you
can
essentially
go
and
verify
that
information
from
for
air
gapped
environments
right.
I
think
this
is
one
of
that.
A
I
have
a
section
in
the
trust
or
configuration
which
we
can
expand
on.
The
idea,
essentially,
would
be.
You
can
periodically
check
if
you
want
and
pull
in
that
information,
but
you
wouldn't
get
that
sort
of,
like
you
know,
immediate
information,
if,
like
a
revocation
or
something
happen,
it
is,
though,
that,
like
you
know,
we
could
kind
of
come
up
with
some
kind
of
a
notification
mechanism
that
you
could
set
up.
A
C
Yeah,
so
in
that
situation
you
would
need
a
secure
trusted,
synchronization
protocol
or
something
like
that,
not
sure
how
that
would
look
like,
but
that
that
would
be
definitely
something
that
that
you
would
require.
But
let's
say,
if
we
stick
with
with
with
the
central
server,
I
foresee
one
wants
one
issue
there,
that's
with
some
of
these
big
enterprises,
even
even
in
some
of
our
own
products
or
things
which,
which
are
deployed
at
hospitals.
We
simply
are
not
allowed
to
do
a
network
connection
outside
of
the
trust
network
and
stuff.
C
A
So
there
is
a
workaround
that
would
currently
work
in
that
sense
that
you
don't
necessarily
need
to
go
to
a
server
to
get
the
keys.
You
can
also
configure
the
keys
yourself
right
so
in
an
air
gap
environment.
One
of
the
things
you
could
do
is
you
could
look
at
what
keys
are
trusted
and
configure
them
yourself,
but
that
is
at
a
point
sort
of
trust.
C
A
A
So
this
is
necessarily
like
the
same
way:
publishers
fit
into
an
admin
and
a
signer
deployer
gets
split
into
an
admin,
who's,
configuring,
the
trust
and
the
developer
running
the
or
a
machine.
That's
actually
pulling
the
containers
and
running
them.
So
I
think
I
can
split
deploy
into
two.
So
if
I'm
carrying
the
feedback
on
the
personas,
the
this
really
should
have
five
personas
going
forward
an
admin
and
a
assigner
for
publisher
and
for
deployers.
B
Organization,
I
think,
similarly,
for
that
scaling
property.
It
would
be
nice
if
the
different
personas
can
like
delegate
pieces
of
their
role
to
other
parties,
especially
in
like
a
very
large
organization.
So
like
you
could
have
multiple
people
in
charge
of
a
particular
persona
like
it
doesn't
have
to
actually
be
a
person
or
even
a
single
key
or
anything.
C
C
A
I
think
those
roles
would
make
sense,
but
do
we
want
to
make
that
distinction
now
or
do
we
want
to
work
on
a
design
and
then
figure
out
what
the
different
roles
are
and
come
across?
That?
I
think
what
I
was
attempting
to
do
right
now
was
at
a
very
high
level
capture
what
the
different
use
cases
are.
B
C
A
Sense.
Okay,
so
I
think
what
I'm
going
to
do
next
step
is
add
in
those
additional
personas.
Add
some
more
details
to
the
trust
for
configuration,
use
cases
but
justin.
I
wanted
to
go
back
and
I
think
we
still
around
sort
of
like
the
root
kind
of
management
piece.
We
didn't
quite
really
settle
on
an
answer
there.
What
are
sort
of
like
some
of
the
additional
concerns
that
you
think
we
should
debate.
D
D
I
need
to
to
go
through
the
scenarios
because,
as
I
kind
of
map
this
out
in
my
mind,
it
feels
like
this
is
just
adding
another
party,
and-
and
I
I
I
you
know-
I'm
gonna
probably
go
back
through
the
recording
for
this
and
try
to
understand
better
where
you're
coming
from,
but
I
I
still
have
like
from
just
a
security
trust
standpoint.
It
it
feels
like
this
just
makes
this
design
weaker
than
than
having
the
root.
D
Do
the
rotation
like
like
you're,
adding
in
another
party
and
and
I'll
try
to
have
a
an
easier
way
to
reason
about
it,
but
like
fundamentally,
the
way
I
the
way
I
still
see
it
is.
Is
that
the
the
the
trust
like
you
you're
you're,
just
adding
a
party
that
you're
that
you're
relying
on
even
more
and
you
already
were
in
trouble
if
the
route
was
compromised?
A
A
C
A
A
C
A
D
B
A
Okay,
I'll
go
ahead
and
publish
another
update
by
monday
morning,
and
then
we
can,
if
once
you
guys,
get
a
chance
to
review.
If
you
put
in
comments,
I
can
also
start
looking
at
it
for
the
friday
meeting,
but
next
friday,
I'd
like
to
close
this
and
the
monday
after
just
shares
what
we've
agreed
upon
with
the
larger
audience,
then
we
can
start
like
focusing
on
the
design
aspect
of
this.