►
From YouTube: CNCF Notary Project 2020-07-06
Description
CNCF Notary Project 2020-07-06
C
A
D
D
Thanks
thanks
T
hi
hi
everyone,
so
so,
as
some
of
you
may
know,
I'm
Trish,
shank
I
used
to
work
on
top
and
in
toto
at
NYU,
another
grad
student
and
now
I'm
security,
engineer
data
dog,
where
I
also
put
some
distance
to
use,
among
other
things,
and
today,
I
want
to
talk
to
you
about
our
experience
with
key
management.
With
this
tool
we
call
signee,
which
I'll
explain
in
a
bit
for
what
it
is,
what
it
does
and
what
yeah
what
it's
for
so,
and
we
do
this
with
no
3v1.
D
D
Microsoft,
let's
not
forget,
so
that's
the
high
level
idea,
and
the
key
thing
you
need
to
know
for
this
stock
is
that
there
is
basically
a
bundled
or
JSON
file
that
specifies
your
application.
So,
for
example,
where
do
you
get
credentials
from
TLS
certificates
and
port
numbers
and
what
what
images
to
the
invocation
images
will
tell
their
on
time?
D
How
to
install
your
application
and
then
the
rest
of
the
rest
of
the
images
can
can
tell
the
runtime
what
your
applications
are
made
of
example,
you
could
have
a
DBE
or
you
could
have
Kafka
yeah
yeah,
you
get
the
idea
so
and
for
the
purposes
of
our
talk,
what
we're
gonna
talk
about
is
how
we
sign
these
bundles.
So
you
can
think
of
so
imagers.
D
You
can
think
of
images
as
sitting
on
a
lower
layer
than
the
bundle
which
referred
to
this
images
right,
and
you
may
really
use
docker
content,
trust
to
do
sign
and
and
and
and
verify
these
images
now.
The
key
idea
is
that
you
can
reuse
the
same
technology
to
sign
and
verify
your
bundles
right
and
potentially
you
may
not
even
need
to
sign
your
images
anymore
now.
D
Yet
now
you
have
one
bundle
to
refer
to
all
of
them,
and
so,
if
you
do
it
properly,
you
can
get
all
of
this
all
of
the
signing
for
different
images
for
free
in
one
place,
and
so
the
good
news
is
that
I'm
very
pleased
to
say
after
months
of
work,
the
CNF
security
spec,
which
basically
talks
about
using
tough
within
Toto,
was
finalized.
Last
week,
it's
one
1.0
0.0,
ga
so
I'm
very,
very
pleased
about
that.
A
hard
work
from
Raju
and
Rawls
and
others.
D
So
so
that's
C,
NAB
security,
that's
C,
NAB
in
a
nutshell,
which
tells
you
how
to
install
your
bundle
in
the
cloud.
Your
application,
a
cloud
native
law
and
CNF
security
is
a
way
to
sign
and
verify
your
bundles
and
signee
is
the
tool
that
is
the
reference
implementation
to
see.
Nab
security.
Does
that
make
sense
everyone
please?
Let
me
know
if
you
have
questions
before
you
go
further,
you
guys.
D
D
D
Let
me
go
back
to
the
agenda
to
remind
myself
right.
Ok,
so
we've
talked
about
what
scene
app
is:
we've
talked
about
what
scene
obscure
it
is,
and
now
we
know
what
sign
is
great,
so
what
we
call
our
Minimum
Viable
Product,
and
if
you
care
you
can
read
the
entire
spec,
but
the
basic
idea
is
that
you
can
see
it's
very
similar
to
what
docker
content
already
does
what
we
call
the
Minimum,
Viable
Product,
basically
uses
notary
to
sign
for
a
bundle.
It's
the
same
old
security
model.
D
You've
seen
before
you
have
this
four
rules.
We
don't
have
to
worry
about
all
of
them.
The
thing
that
matters,
the
most
is
the
so-called
targets
rule
that
distributes
the
hashes
for
your
bundle
in
this
case,
which
in
turn
will
distribute
the
hashes
I
should
mention
the
reason
you
don't
necessarily
need
to
sign
your
images,
we'll
talk
about
good
reasons
for
signing
for
it,
but
the
the
bundle
of
Jason
would
contain
the
hashes
for
the
images
on
you
great
and
some
of
you
may
be
wondering
hold
on.
D
D
People
like
Radu
and
Sylvie
and
others
at
docker,
came
up
with
this
nice?
It's
called
Sina
registry
spec
came
up
with
a
nice
way
of
reusing,
OCI
artifacts,
it's
a
it's.
It's
a
little
bit
of
a
hack
at
the
moment,
but
I
believe
it
does
use
the
standard
way
to
push
an
arbitrary
file
and
you
just
have
specified
a
media
type.
So
that's!
D
What's
wherever
that's
what's
happening
right
now,
we
use
a
tool
called
seen
at
the
OCI
to
push
the
bundle
adjacent
to
to
a
registry,
so
you
can
get
bundles
and
images
in
the
same
place,
which
is
nice
very
nice
for
your
runtime,
because
you
can
reuse
the
same
same
same
idea.
Basically
same
machinery,
great,
and
so
the
next
thing
we
should
talk
about
is
okay.
So
that's
the
MVP,
nothing
we
haven't
seen
before
in
the
wool
of
docker.
Let's
talk
about
an
extension
to
the
MVP.
D
It
looks
slightly
more
complicated,
but
hopefully
it's
not
too
frightening.
It's
just
complicated
it's
all
of
this.
So
what
we're
doing
in
this
case
is
okay.
So
what
are
we
trying
to
do
here
exactly?
Why
is
this
so
complicated?
What
we're
trying
to
do
is
stick
in
so
call
s-bahn
metadata,
and
it
could
be
anything
maybe
any
tool
you
want
to
use
graph
es
metadata,
let's
say
or
in
todo.
In
this
case,
the
key
idea
is
that
you
want
to
provide
additional
sign
metadata.
That
tells
you
how
the
bundle
was
produced.
D
D
It's
got
a
lot
of
fields
in
a
lot
of
information
in
it
and
you
can't
get
fine-grained
information
such
as
who,
maybe
you
want
to
know
things
like
well,
who
produces
the
so-called
invocation
or
installation
image
who
produced
this
other
image
was
a
machine?
Did
a
machine
produce
the
entire
file
or
the
developers
produce
some
parts
of
it?
You
don't
get
any
information
with
the
MVP
at
all.
D
So
that's
what
the
extension
then
weepy
does,
and
the
key
idea
here
is
that
we
use
something
called
delegations
before
I
go
into
before
I,
throw
this
word
around
without
defining
it.
Let
me
let
me
quickly
show
what
I
mean,
because
I've
noticed
that
sometimes
we
use
this
term
defining
work
delegation
is
a
very
simple
idea.
It's
that
so,
okay,
so
without
delegations,
what
would
happen?
Normally
you
use
the
targets
role,
and
this
role
has
the
power
to
a
role
is
a
manner
of
machine.
D
It
doesn't
matter
that
the
idea
is
that
what
is
the
responsibility
of
a
role
right
that
that's
what
we
mean
by
normally?
This
role
would
have
the
power
to
sign
everything,
any
bundle,
any
image
whatever
you
need,
and
that
may
not
be
desirable,
particularly
if
you're,
if
a
machine
is
signing
a
bundle,
for
example,
right
or
or
everything
about
a
bundle.
So
what
do
you
do
is
split
the
responsibility
even
further
and
that's
what
delegations?
Let
you
do
so
imagine
that
this
is
the
target
role.
D
We
call
it
projects
here,
but
we
call
it
a
target
role
and
the
targets
are
old,
says:
hey,
look,
I'm,
not
gonna,
sign
anything,
but
if
you're
looking
for
Django
packages,
let's
say
good
Alex
and
here's
a
key
right.
That's
all
I
know
about
it.
I
don't
sign
anything,
but
a
delegation
is
simply
a
mapping
of
public
keys
to
what
sort
of
images
or
bundles
or
whatever
arbitrary
artifacts.
Actually
you
just
specify
the
namespace
that
they
are
allowed
to
sign
so
great.
D
D
Okay,
great
and
this
role
can
also
change
the
keys
any
time
right
and
so
Alice
can
further
delegate
the
power
and
say:
hey,
look
yeah
I
do
I
am
responsible
for
Django
packages,
but
if
you're
looking
for
Django
packages
that
end
with
peridot
GZ,
let's
see
for
Linux
go
ask
Bob
about
it
and
here's
this
key
right.
This
is
roughly
make
sense.
So
far,
it's
basically
a
splitting
of
trust
for
a
fine
grain
yeah.
It's
a
fine
graining
of
trust
management
and
system.
D
Okay.
So
what
we're?
And
what
we're
hoping
to
do
here
is
that
notice
that
we've
delegated
things
to
a
roll
call
target,
slash
releases
and
I'm,
just
gonna
call
it
release
this
from
now
on,
because
the
whole
name
doesn't
roll
off
the
tongue,
as
you
can
imagine,
but
releases
is
the
traditional
role
that
docker
itself
lets
you
use
today.
Actually
what
you
can
do
with
docker
right
now
is
say:
okay,
yeah
I've
got
a
targets
role,
but
I'm
gonna.
D
Let
a
machine
sign
everything,
so
I'm,
gonna,
delegate
everything
to
the
Machine
and
if
the
machine
he
ever
gets
compromised,
I
can
use
the
targets
role
key.
Instead
of
the
root
roll
key,
which
is
presumably
more
difficult
to
get
to,
it
has
more
power
than
the
targets
key,
so
you
want
to
use
a
more
friendly
key.
Shall
we
say
to
revoke
the
Machine
key?
So
that's
one
thing
you
can
do
with
docker
content
trust
already,
but
here
we're
doing
something
more
complicated.
D
You
don't
need
to
know
the
whole
details
of
the
whole
thing,
but
what
we're
basically
trying
to
do
is
say
this
immutable
rules
about
the
software
supply
chain
that
should
be
signed
by
offline
keys,
and
that's
why
it's
green
here.
Ok,
that
guy
directly
signed
some
immutable
rules
of
the
pipeline.
Shall
we
say
that
cannot
be
changed,
and
so
what
the
machine
can
do
is
sign
all
the
other
metadata
that
is
safe
for
a
machine
to
sign,
because,
basically,
if
the
machine
misbehaves,
we
can
check
using
this
immutable
rules
that
we
have
fixed
here.
D
I
don't
want
to
go
into
the
details,
but
that's
the
high-level
idea.
The
key
takeaway
here
is
that
we
can
use
delegation
to
safely
split
what
a
machine
can
or
cannot
sign.
Does
this
make
sense?
So
if
human
human
developers
always
have
the
power
to
specify
the
most
important
things
in
the
system
and
machine
can
only
sign
the
least
important
bit,
so
even
if
someone
breaks
it,
a
machine,
yeah
you're,
not
you're,
not
gonna,
lose
sleep
because
he
can
eventually
catch
the
machine.
D
Is
there
ok,
and
so
that's
the
usefulness
of
delegation,
sir
great
and
I
should
talk
about
an
example
minimalist
bomb
again,
I
don't
get
into
the
details
too
much,
but
basically
you
can
think
of
the
pipeline
is
having
two
steps.
You
should
really
draw
a
nice
picture
for
this,
but
basically
this
is
a
developer
step
where
products
are
basically
input
and
basically
developers
can
sign
everything
under
a
bundle
case
all
right.
It's
got
all
this
metadata,
so
developers
always
have
the
ultimate
power.
Now.
D
What
we're
saying
a
machine
can
do
is
that
a
machine
can
add
hashes
about
images
to
the
bundle,
but
that
is
all
it
can
do.
That
is
the
only
s-bahn
metadata
that
is
allowed
to
produce
and
if
it
does
something
else
funny,
if
it
tries
to
change
what
developers
produced,
you
can
catch
the
machine
misbehaving,
which
is
a
very
powerful
property
to
system.
If
you
think
about
it,
ok,
so
great,
ok
and
sign
is
the
reference.
So
ok,
so
and
I
promised
some
lessons.
We
learned
when
developing
this
reference
implementation
for
scene
app
security.
D
What
do
we
call
funny?
The
first
lesson
is
reusing
he's
darker
already
by
default.
Note
3
I
should
say
by
default
already
pushes
the
responsibility
of
the
the
so-called
timestamp
key
to
the
server,
which
is
great,
and
we
simply
added
a
very
simple
thing
anyway
say
yep.
You
know,
you
know
what
the
less
keys
we
have
to
manage
the
better,
so
we're
also
pushing
the
snapshot
key
to
the
server
in
China.
That's
a
very
simple
extension
that
we
made.
In
fact,
I
ran
through
this
problem
with
Phillips.
D
Today,
I
should
mention
Phillips
research
is
writing
their
own
tool
called
DCT
no.3
admin,
but
he
basically
trying
to
do
a
lot
the
same
thing
but
for
docker
content,
trust
they're,
trying
to
make
it
simpler
to
use
for
the
developers,
so
they
were
stuck
at
signing
the
snapshot.
They
were
unaware
that
they
had
to
sign
the
they
had
to
provide
the
snapshot
key
password,
and
so
that's
one
thing
that
I
helped
them
so
as
of
today
morning.
D
This
tool
is
also
doing
the
same,
not
just
sign
that
we
basically
pushed
the
time
time
and
snapshot
and
you
don't
actually
lose
a
lot
of
security.
This
way,
this
roles
don't
have
the
power
to
change
by
themselves,
the
hashes
of
images
or
buttons.
So
it's
not
unsafe
to
do
and
it
increases
usability
a
lot.
D
Another
thing
that
we
did
for
signee
is
that
so
doctor
already
reuses
the
the
rookie
right
across
images
or
repository,
so
something
if
you're,
not
unaware
of
if
you're,
not
aware
of,
is
that
the
the
model
that
we
have
today
with
no
3v1
the
docker
content,
trust
v1?
Is
you
basically
have
a
separate,
tough
repository
and
we
don't
need
to
call
it
tough
we'd
be
calling
the
metadata,
basically
a
separate
metadata,
repository
per
image
or
per
bundle
or
whatever
artifact
you
care
about
uploading
to
the
registry.
D
Another
thing
we
did
is
that
we
reuse
the
route
and
targets
needs
across
the
bosphorus,
because
if
you
are
the
same
organization
uploading
all
these
different
images
to
a
registry,
you
really
don't
lose
a
lot
of
security
by
reusing
the
skiis.
You
you
in
fact
increase
usability.
You
don't
have
to
manage
so
many
keys
anymore
and
we
can
split
the
if
you're
really
concerned
about
security,
you
can
you
can
have
a
different
machine,
signing
key
for
every
image.
That's
one
thing
you
can
do
and
we
should
give
you
an
option
right
now.
D
We
don't
have
it,
but
you
can
potentially
do
it:
okay,
great
and
so
yeah.
We
need
to
one
thing
that
I
think
we
need
to
do
is
revisit
the
idea.
Why
no
three
needs
right
now.
It
does
need
it
right
and
I,
don't
think
it
needs
to
be
necessary.
We
don't
need
a
separate
metadata
repository
for
OCI
artifact.
D
It
should
we
should
think
about
trying
to
remove
the
burden
of
managing
keys
from
end
users
and
basically
developers
as
much
as
possible,
so
they
don't
have
to
manage
a
separate
root
and
vine
stem
and
snapshot
/
/
artifact.
We
really
should
do
that.
That
is
something
we
should
think
about,
and
lesson
number
two
is
using
the
power
of
delegations.
I've
discussed
briefly.
D
It's
just
that
the
talker
come
on
and
Justin
Carmack
should
feel
free
to
correct
me
here,
but
as
far
as
I've
seen,
it
doesn't
expose
the
full
power
of
this
delegation
to
the
end-user
and
most
basically
gives
you
the
target
it's
in
the
releases
role,
but
that's
it's
in
it's
an
either
old
model,
but
basically
what
people
like
Philips
and
finally
want
it's
a
way
to
let
developers
go
on
and
then
manage
their
own
develop
their
their
own
delegations
from
there.
So
that's
another
lesson.
D
D
Okay,
great
and
I
know
I've
wrapped,
so
basically,
I've
got
like
a
shortcut.
A
shortcut
command
here
called
signing
sign
and
a
very
imaginative
name,
but
basically
I'm
signing
a
test,
bundle
and
I'm,
pushing
it
to
my
local
host
registry
here
and
I'm
also
note
that
I'm
also
adding
in
total
metadata
at
the
same
time,
I'm
actually
sticking
it
inside
the
tough
targets
metadata,
which
is
a
nice
property
of
top,
by
the
way,
we're
basically
using
tough
as
a
trust,
bootstrapping
layer.
You
can
think
of
it
that
way,
we're
transparently
adding.
D
This
is
something
that
tough,
in
fact
no
tree,
we
want
already.
Let's
you
do
this
we're
adding
additional
metadata,
and
this
could
be
your
a
small
metadata,
we're
saying
here's
the
rules
of
the
pipeline,
and
this
is
the
way
you
catch
up
the
machine
with
the
haze.
If
your
pipeline
misbehaves
and
here
all
the
s-bahn
materials
and
here's
a
here's,
a
public
key,
you
can
use
to
verify
the
rules
of
the
pipeline
in
the
first
place.
That's
what
we're
doing
here
you
can
see.
We
don't
ask
ask
you
to
do
worry
about
keys
at
all.
D
In
fact,
we're
getting
some
key
passwords
from
environment,
environment
variables
we
hadn't
seen
so
it's
basically
treaties
that
you
have
to
worry
about
the
route,
the
targets
and
the
releases
role
and
as
I
mentioned
before,
we
reuse
these
keys
across
reporters
across
artifacts
for
usability,
and
so
verification
will
be
the
basically
the
same
with
much
less
information.
Of
course,
we
say
what
what
bundle
were
interested
in.
You
can
see
it
stacked.
Just
like
a
docker
image
right.
The
two
doesn't
know
any
difference
and
we
say
but
also
verified
in
total
metadata.
D
Now
it
actually
bounced
out
here,
which
is
not
great,
but
this
is
actually
a
bug
in
our
part,
we're
using
a
bad
pipeline.
That's
not
actually
made
for
see
that
it's
the
test
pipeline
that
we're
using-
and
you
really
should
have
been
doing
this.
But
basically,
if
things
just
worked,
it
would
have
been
a
successful
here
and
we're
basically
verifying
that
everything.
The
bundle
was
produced
correctly.
D
Actually,
we're
actually
working
on
a
PR
to
fix
this
right
now,
but
you
can
see
with
design
the
signing
and
verification
processes
to
be
as
easy
to
use
and
as
transparent
as
possible
and
for
users
not
to
think
about
all
this
low-level
decisions,
such
as
how
do
I
manage
my
keys?
We
basically
pick
a
sensible
default,
we're
kind
of
apini
that
I
guess
that's
the
word
for
it,
and
if
you
want
to
do
things
differently,
you
can
but
the
default
is
don't
worry
about
it.
D
We
think
this
will
work
for
80%
of
news
lists
yeah,
and
that's
that's
basically
what
I
have
to
share
in
terms
of
demo
and
key
ideas
today
key
lessons.
What
I
also
want
to
say
is
that
things
that
that
Phillips
wanted
to
talk
about
Marco,
Frandsen,
actually
I,
think
from
Philips
research
I
got
his
name
right
are.
They
are
very
interested
in
no
three.
We
do
just
like
us
at
signee
with
C
NAB
security.
D
Both
of
us
are
working
with
extending
no.3
v1.
In
the
meantime,
one
thing
that
bored
of
us
would
like
to
see,
in
fact,
if
I
don't
have
suffered
from
the
same
problem.
This
is
something
we
should
fix
for
no
tree
also
is
that
there
really
should
be
abstract
interfaces
or
API
is
for
dealing
with
keys
and
where
you
read
and
write
metadata
from
like
we
cannot
assume
a
file
system.
D
D
Another
thing
that
both
of
us
would
like
to
see
is
very
simple,
one-click
user
interface
for
things
like
here
on
vacation
right
now,
it's
not
clear
how
to
do
this,
you
might
have
to
muck
around
with
a
command
line,
for
example,
but
we
would
like
to
do
is
provide
very
convenient
GUI,
for
example,
to
be
able
to
do
this.
Something
I
should
mention
really
quickly
is
that
Phillips
is
looking
for
funding,
so
they
were
wondering
where
the
CNC
f
can
help
here,
but
maybe
that's
not
the
right
form.
I
just
want
to
draw
it
out.
D
There
I
just
wanted
to
say
that
basically,
this
interest
from
different
communities
such
as
seeing
obscurity
and
Phillips
to
see
some
of
this
lessons
that
we
have
learned
be
incorporated
into
no
3v2.
Another
thing
I
want
to
mention
before
I
stop
talking
is
I,
think
it'll
be
very
useful
to
have
an
EU
and
Asia
friendly
meeting
time.
Also
I
know
it's
difficult
to
find
such
a
meeting
time
for
everybody.
D
D
A
B
Hey
Sean,
thanks
for
that
this
is
Omar
from
AWS.
I
got
a
couple
of
questions.
The
first
one
is
that
these
call-outs
you
just
made
on
order
ev2
like
we,
should
ensure,
let's
say,
for
instance,
that
there's
a
abstract
API
for
key
management.
We
should
make
it
easy
from
a
GUI
perspective.
If
you
had
a
look
at
the
scenarios
dock
on
github
and
ensure
that
that's
there
or
not
there,
that's.
D
A
D
E
E
B
Cool
yeah,
the
basic
call
out
is
that
while
we're
putting
things
online-
and
we
have
discussions
and
there's
all
these
learnings
that
are
coming
from
all
of
us
right-
different
communities
and
different
things
that
we've
seen,
that
would
be
the
place
to
dump
our
feedback
for
wonderful,
better
work.
That's
a
PR!
It's
an
amendment,
however,
so
that
when
we
go
review
that
these
are
not
lost
right,
that
I
was
just
wondering
if
we
haven't
done
that
we
could
or.
A
Yeah
I
mean
I,
think
we've
got
this
one
captured
here
and
this
one's
a
little
intertwined,
because
it's
key
management
and
tough
as
a
like
there's
a
separate
one.
We
just
want
to
make
sure
that
every
cloud
provider
and
private
instance
of
this
registries
and
scenarios
can
actually
use
a
specific,
their
specific
key
management
solution
right
and
then
necessitates
having.
A
A
A
D
A
A
A
So
I
was
curious
because
from
knowing
a
little
bit
about
what
you
guys
were
doing
with
seen
a
band
sandy
and
so
forth,
I
was
kind
of
just
focused
I.
Guess
I
just
wanted
to
put
the
question
out
there
and
is:
were
you
focused
on
trying
to
enable
scene
AB
in
the
existing
infrastructure,
because
CNM
is
obviously
a
larger
superset
of
things
as
opposed
to
or
not
opposed
to,
or
as
a
beginning
step
towards
the
balance
of
public
registries
and
private
registries
in
air-gapped
environments?
D
A
good
question
I
mean
yes,
for
us
is
basically
non-negotiable.
It
is
a
constraints,
a
requirement
that
it
has
to
work
with
existing
infrastructure,
which
is
why
we
went
ahead
and
got
start.
So
that's
why,
for
example,
is
important
to
pushing
bundles
Assoc
artifacts
right.
You
want
the
same
place
to
keep
bundles
and
images.
You
don't
want
two
different
places
for
it,
I
mean,
and
ideally
it
would
have
been
nice
to
have
the
metadata
and
the
same
places.
D
The
registry,
which
is
something
which
I
believe
is
requirement
for
no
3v2,
but
it's
not
there
and
no
tree
v1
yeah.
So
because
of
this,
so
that's
an
excellent
question
about
era
gap.
We
thought
about
this
and
we
basically
prescribed
two
solutions.
One
is
when
you're
pulling
a
bundle
and
you're
verifying
the
signature
on
it
and
you
push
a
copy
of
the
bundle
in
your
own
private
registry.
You
basically
have
two
options.
What
are
your
options
at
this
point?
D
You
can't
blindly
copy
the
signatures
because
you
basically
don't
own
some
of
the
keys,
so
there's
at
least
two
options
for
you.
One
is
when
you
pull
from
a
public
registry.
You
verify
the
signatures,
but
you
basically
push
it
and
you
don't
sign
it
in
your
own
prior
registry
and
you
consider
it
a
trusted
zone.
Basically,
that's
one
option.
The
second
option
is,
we
say
recited
using
your
own
keys,
which
is
slightly
more
complicated,
but
it
can
be
done
and
the
idea
is
that
we
don't
want
to
force
people
into
any
particular
like
PowerShell.
A
A
No,
the
media
type,
it
sounds
like
you've
got
and
I'm
curious.
What
you
guys,
where
you
guys
will
end
up,
but
the
the
ability
to
move
content
between
registries
is
just
not
something
you
were
in,
but
it's
just
based
on
the
current
infrastructure
that
exists
today
that
you
have
to
kind
of
refine
or
or
trust,
there's
really.
There
is
no
way
to
you.
A
You
didn't
magically
find
a
solution
to
move
the
signatures
and
everything
with
okay,
that's
totally
fair,
like
I
just
wanted
to
I.
There's
I
think
there
was
a
I
wanted
to
see
what
you
guys
had
done
to
kind
of
see
what
progress
you
guys
had
made
and
I've
actually
curious
about
the
shell
scripts
that
you
guys
were
outlining,
but-
and
you
guys
have
made
great
progress
on
how
to
do
this
and
a
large
thing
and
there's
a
bunch
of
details
on
the
canonical
Jason
I.
Think
you
guys
work
through,
but.
A
D
Yeah
exactly
especially
delegations,
which
we
found
a
notary,
we
one
is
actually
powerful
enough
to
do
what
we
wanted
to
do
right,
but
I
don't
think
we
can
fundamentally
solve
the
copying
between
registries.
Metadata
I
mean
on
behalf
of
notary.
We
won
because
it
basically
you
have
to
copy
metadata
between
sequel
databases
or
whatnot,
and
that's
just
something
that
we
and
it's
a
private
API
base
for
so
Radu
is
here
by
the
way.
So
he
might
want
to
add
something
to
this
hey.
F
D
F
And
he
was
right
about
that.
We
just
didn't
we
I
did.
If
you
recall,
we
had
the
conversation,
probably
winter,
about
what
access
the
scene
happening.
You're
looking
for
energy
v2,
and
that
was
probably
the
biggest
item
that
we've
had
in
there.
We
do
have
some
guidance
about
for
people
who
are
really
really
interested
in
doing
that,
and
it
probably
could
be
achieved
with
no
3v1,
but
as
a
spec
and
as
a
reference
implementation.
A
F
We
signed
a
Content
digest
of
the
actual
object
of
the
actual
artifact,
rather
than
the
actual
content
digest
of
the
manifest
right.
The
manifest
is
the
representation
of
how
an
OCI
registry
stores
an
object
right,
whereas
for
C
now
we
have
a
requirement
that
specifies
that
you
can
distribute
the
objects
without
a
registry,
so
you
don't
actually
have
a
manifest
for
you
and
you
still
want
to
validate
a
signature
or
even
generate
one.
F
F
A
F
A
Okay,
I'm
I'm
missing
a
little
bit
of
a
gap
in
there,
but
it's
okay.
We
can
follow
up
later,
but
I
think
the
we
definitely
want
to
be
able
to
have
like.
If
you
look
at
the
scenarios,
we
talked
about
being
assign
an
artifact
before
it's
pushed
to
a
registry,
and
then
you
subsequently
push
it
to
a
registry.
So,
from
a
scenario
perspective
I
think
we've
I'm,
hoping
we've
captured
that
for
you
and
to.
F
A
On
the
public
and
private
registries,
are
you
guys
kind
of
been
more
focused
on
like
how
do
I
make
a
bundle,
bundle
CNF
that
IO
collection
of
bundles
or
were
you
kind
of
thinking?
Have
you
spent
much
time
thinking
about
the
the
individual
customer?
That's
building
lots
of
bundles
themselves
for
their
own
deployment
and
they're.
You
know
they
have
automation,
there's
constantly
building
it's
only
in
their
environment,
they're
they're
not
trying
to
share
necessarily
outside
of
their
company.
F
But
that
being
said,
I
we
there
isn't
necessarily
something
that's
missing
from
allowing
organizations
to
publicly
distribute
bundles
because
we're
using
distribution
and
notary
there's
they
they
can
use
it
in
exactly
the
same
way.
You
would
use
docker
content
trucks
right
now.
The
changes
that
Prashant
mentioned
about
delegations
no.
A
That's
good
I
was
actually
afraid
you
were
focused
more
on
the
public
and
weren't
dealing
with
the
intricacies
of
private
registries
and
the
way
companies
move
not
move
but
work
in
private
registries
different
than
public
registries
and
when
I
say
public
registries
is
a
there's,
a
different
surface
area
and
challenge.
When
I'm
trying
to
publish
things
for
the
world
to
consume
versus
on
publishing
things
forth
in
my
company.
That
does
need
off
to
connect
to
everything.
F
A
Question
that
and
I
want
to
make
sure
we
have
time
for
the
one
of
the
things
that
we've
been
discussing,
and
we
need
to
put
more
focus
time
on.
It
is
the
the
UX
the
experience
for
what
the
client
should
look
like
and
when
you
guys
had
signee
I
was
kind
of
like
really
excited
to
see
what
that
CLI
was,
but
I
noticed,
Trisha
hunk,
you
were
actually
showing
signing
being
called
by
a
shell
script,
so
I'm
I'm
curious
ye
and
you
still
had
to
pass
a
bunch
of
parameters
to
it.
A
D
We
could
we
really
should
call
it
directly.
That
is
my
bad
I
know.
Rod
is
not
too
pleased
about
it,
but
that's
really
for
local
development
purposes.
It's
it's
really
just
a
convenient
wrapper
for
passing
in
a
lot
of
default,
boring
parameters
like
the
root
certificate
for
the
node
tree
server
or
port
numbers,
and
so
on,
and
things
like
that.
These
are
things
that
you
can
easily
write
your
own
wrappers
for
it.
A
D
F
Of
it,
yes,
because
we
we
wanted
to
make
sure
that
you
can
configure
pretty
much
everything
good
configure
when
put
into
a
distribution
to
a
distribution
as
well
as
to
a
notary
instance.
And
if
you
add
all
those
parameters,
there
are
quite
a
few.
So
first
of
all,
I
wanted
to
make
sure
we
can
satisfy
every
combination
of
of
parameters
and
the
shell
script
is
just
our
way
of
not
dealing
with
UX
currently
and
just
making
sure
everything
works
from
UX
onward.
F
D
Totally
agree,
it
should
be
as
so,
for
example,
here's
a
simple
thing
that
we
ran
into
right,
so
Riley
was
testing
that
our
to
actually
works
across
many
many
registries
now
actually
with
with
docker
content,
trust
support
such
as
harbor,
but
there
are
things
we
ran
into,
for
example,
that
we
should
improve
default
out
of
the
box
discovery,
for
example.
So,
for
example,
simple
things
like
it's
clear:
the
port
number
of
the
signing
server,
for
example,
simple
things
like
that
or
the
root
certificate
for
there.
This
thing
should
be
automatically
discovered
right.
Thank
you.
Those.
A
Are
good
things
that
I
don't
if
you
want
to
write
a
couple
of
those
notes,
maybe
that
an
issue
or
something
like
learnings
from
from
seen
a
B
or
sign
e
or
some
cute
name
just
cuz.
It's
fun
that
it's
some
kind
of
reminder
in
the
issues
for
the
notary
project
that
we
capture
those.
As
we
start
doing,
the
you
expert
notary
to.
D
So,
for
example,
I
will
say
that
privately
someone
DMD
me
just
now
and
asked
this
question
which
I
wish
there
that's
publicly,
because
it's
a
great
question,
it's
totally,
not
obvious
at
all.
They
were
like.
Why
couldn't
you
just
copy
signatures?
You
know
why
not
just
trademark
copy
signatures
from
one
registry
to
another
great
question.
The
thing
is
that
those
signatures.
D
Yes,
there
is
a
public
API
to
copy
the
signatures
right
and
you
can
get
it
over
HTTP.
That's
not
a
problem,
even
though
internally
behind
the
scenes
it
could
be
in
RAM,
it
could
be
in
Moorea
DB.
It
can
be
read
as
whatever
you
don't
care
about
that.
The
point
is
this:
the
public
endpoint
to
consume
the
metadata
great
and
let's
say
you
blindly
copy
the
signatures
and
copied
it
in
your
private
air
gap
registry,
for
example.
Why
is
this
not
a
great
idea?
Well,
it
will
work
temporarily.
D
A
D
A
That's
fair:
we've
talked
about
this
and
I've
we've
written
a
bit
of
this
up
is
the
kind
of
the
movement
like
an
air
gap.
Environment
is
an
isolated
environment
that
runs
on
its
own
either
it's
offline
or
it's
got
controlled,
Network
egress
into
it.
The
assumption
is
whether
it
be
revoked
keys
like
there
is
Const.
There
is
an
update
interval
that
can
go
into
that
environment.
It's
just
you've
got
to
make
sure
that
everything
in
that
environment
can
operate
without
external
access.
A
So
the
idea
that
you
can
move
key
provocations
into
it,
you
can
move
additional
new
versions
of
things
and
new
versions
of
the
metadata
is
are
all
valid
things,
and
if
you,
the
interesting
one
that
I
can
think
of
is
the
person
that
produces
the
original
content.
How
often
do
they
refresh
does
that
meet
the
requirements
of
the
entity?
A
That's
consuming
that
content
like
if
I'm
going
if
I
know
I'm
going
offline
for
three
months
or,
let's
just
say
a
month
as
I'm
going
across
the
notion
that
I'm
not
going
to
spend
expensive
connectivity
pulling
from
a
satellite,
then
I
need
to
make
sure
that
the
content,
I'm
consuming,
wasn't
refreshing
once
a
day
and
that's
the
assumption.
So
there's.
D
A
It's
the
disk,
it's!
How
do
you
provide
some
disconnect
between
the
producer
of
content
and
the
consumer
of
content,
because,
while
the
consumer
of
content,
we
assume
many
of
these
companies,
especially
ones
they
really
serve,
concern-
will
have
an
additional
signature
they'll
put
on
at
a
definition
or
verification
that
says:
hey
I've
tested
this
for
my
environment.
So
not
only
does
it
have
Tricia
hunks
key
for
what
he
produced
that
I
consumed,
but
it's
also
got
my
you
know
rocket
network
or
acne
or
whatever
it
is.
A
The
information
that
you've
produced
is
still
valid
because
we
assume
we
kind
of
take
the
security
model
that
we
assumed
at
the
time
we've
gotten
the
content.
At
that
point,
it's
in
a
known
state.
A
week
later,
the
same
content
can
turn
out
to
be
vulnerable
because
the
vulnerability
didn't
find
it
wasn't
discovered
until
after
the
thing
was
released.
A
So
in
that
case,
I
still
want
to
be
able
to
go
back
and
get
something
from
from
Trisha
UNK
that
produced
the
original
content.
To
know
that
hey,
it
was
good
last
Monday,
but
now
it
turns
out,
we've
discovered
it's
not
good
and
I.
Don't
think
you
want
a
key
revocation
scenario
and
that
one,
because
it's
really
it's
anyway,
we
have
to
think
about
that.
Yeah.
D
A
That's
the
thing
I
want
to
remind
like
again:
I
wrote
this
somewhere
is.
We
have
been
talking
about
the
air
gap
scenarios
like
these
really
esoteric
submarines
and
oil
platforms
and
things
that
are
like
they're
really
important,
but
to
a
very
small
group
of
people
that
we
could
all
punt
the
scenario,
and
at
least
you
know,
I
can
speak
from
a
national
perspective,
but
I
know
the
Adobe
s.
Folks
are
doing
the
same.
A
Is
we
see
our
customers
wanting
air
gapped
environments
for
their
standard
workloads
like
they're,
comfortable
on
Prem
and
one
of
the
ways
they're
comfortable
moving
to
the
cloud?
Is
they
can
move
into
the
cloud
with
an
equivalent
air
gapped
environment?
So
it's
it's
really.
The
average
customer
wants
this.
That's
why
we're
all
creating
these
private
be
netting
capabilities,
so
customers
can
really
lock
down
all
external
access,
even
in
their
pub.
Even
in
you
know
our
public
clouds,
so
it's
not.
We
should
not
treat
it
as
an
esoteric
environment.
A
G
A
A
All
right
for
those
didn't
make
the
whole
call
will
obviously
have
the
recording-
and
this
is
great
to
see
what
you
guys
were
able
to
get
with
what
exists
to
some
extent,
you
kind
of
validated
some
of
the
things
that
we're
still
working
on.
We
still
need
to
keep
on
working
on
because
you
still
need
them.
So
that's
that's,
really
good
feedback,
so
I
do
Trish
monk.
Thank
you
for
you
and
your
whole
team.
A
A
A
You
know
what
we
want
to
do
here,
because
it
seems
like
Europe,
China
and
India
and
the
Americas
it's
really
hard
to
get
three
four
I've
already
lost
count,
so
let's
kind
of
figure
out
what
works,
and
maybe
we
just
need
to
do
some
kind
of
vote
to
misy
like
all
right
what
continents
do
we
really
need
to
support
for
this
call,
so
with
that
we'll
wrap
up
for
next
week.
Thank
you.
Everybody.