►
From YouTube: CNCF Notary v2 Key Management 2020-07-17
Description
CNCF Notary v2 Key Management 2020-07-17
A
I
just
updated
the
pull
request
with
some
some
of
the
scenarios
a
little
bit
more
fleshed
out.
I'm
just
gonna
post
that
here
in
the
chat.
A
B
So
I
I
was
reading
through
the
document.
B
And
I
have
one
question
so
so
in
our
use
case
with
with
the
current
notary
v1,
we
are
also
looking
at
something
like
a
self-service
portal
or
something
like
that,
where
teams
can
create
our
repositories
and
the
and
the
keys
belonging
to
those
as
well
authorizing
or
deauthorizing
delegations.
At
first
sight.
I
don't
see
this
back
in
in
these
key
management
scenarios.
A
So
let
me
understand
that
use
case
better.
Is
that
essentially
saying
that
if
an
administrator
has
created
a
root
key,
they
can
give
permissions
to
others
through
some
portal
to
get
delegate
keys
from
that
route.
B
B
A
B
Let's
say
I
want
to
re
release,
docker
image,
a
b
and
c,
then
I
would
create
in
this
portal
the
repositories
and
then
based
on
our
iam
system.
We
give
people
access
to
manage
these
repositories
and.
C
A
Right,
I
think
one
of
the
things
that
we
were
trying
to
do
with
notre
dame
v2
was
split,
the
registry
from
the
signing
component
right
and
so
rather
than
going
having
like
an
ovary
per
registry.
A
I
think
the
approach
here
turns
into
you
have
like
a
single
service,
that's
telling
you
essentially
which
public
keys
to
trust
and
which,
like
delegates,
have
been
revoked
and
that
shares
that
information,
but
you
can
essentially
publish
to
any
registry
with
one
set
of
keys
if
you
wanted
to
and
then
on
this
on
the
flip
side,
anyone
that's
actually
pulling
containers.
A
They
can
also
define
registry
independent
keys,
so,
like
they'll,
say
here's
the
keys
that
I
trust,
and
regardless
of
whichever
registry
you're
pulling
containers
from
you
can
validate
against
that.
I
think
this
enables
us
to
do
things
like
migrate
containers
from
one
registry
to
another.
I
think
you
know,
as
I've
been
fleshing
out
some
of
these
use
cases,
what
it's
kind
of
making
it
more
clear
for
me
is
what
does
the
rather
than
the
key
management
service?
A
I
I
think
that's
kind
of
like
a
component
that
notary,
like
the
notary
server
aspect
of
it,
is
almost
turning
into
where,
rather
than
hosting
signatures,
it's
hosting
for,
like
you,
know,
here's
my
developer
identity
here
are
my
public
keys
and
here's
the
keys
I've
revoked
so
far.
B
B
How
can
we
ensure
that
a
team
can
self-manage
their
delegations.
A
I
think
that's
one
where
we
will
want
to
define
more
on
what
the
functionality
of
the
key
management
service
turns
out
to
be
right,
like
I
think
here,
there's
a
few
different
options
on
creating
delegate
keys.
I
think
this
comes.
This
is
something
we'll
need
to
flush
out
more
in
terms
of
how
are
those
delegate
keys
created
right
right
now?
A
I
think
what
I
have
spelled
out
here
is
just
the
steps
that
need
to
get
taken.
I
think
there's
a
very
good
call-out
that
you're
saying
in
terms
of
like
you
know,
if
you
want
this
to
be
a
centralized
service,
how
would
that
operate?
A
And
I
think
that's
one
where
the
key
store
kind
of
matters
in
the
sense
that
if
the
delegate
keys
are
being
stored
on
local
machines,
in
terms
of
like
the
hybrid
scenario,
then
really
it's
a
matter
of
wherever
the
root
public
keys
are
being
stored,
that
you
can
get
the
the
you
haven't.
You
have
access
to
kind
of
go,
get
those
signed
to
get
whatever
you
need
sign
for
delegate
key
to
be
chained
to
the
root
key,
so
I
can
add,
I
think,
some
steps
in
there
that
calls
out.
A
A
B
B
A
I
think
the
the
key
management
aspect
of
it
may
not
necessarily
be
done
through
notary.
I
think
the
key
man
as
in
sort
of
like
what
what's
traditionally
been
considered,
the
notary
server
right.
The
key
management
would
be
something
that's
more
of
like
a
publisher,
only
solution
right,
because
it's
and
by
publisher
I
mean
everyone,
that's
involved
in
sort
of
like
building
and
getting
a
container
into
a
registry
right
notary
would
be
something
that
you
need
for
communication
between
the
publisher
and
the
deployer.
A
So
here
I
think
this
goes
more
into
the
key
management,
and
I
think
this
is
one
where,
if
we
look
at
key
management,
there's
going
to
be
different
ways
of
doing
it,
some
people
may
do
it
through,
like
a
local
key
store.
A
B
A
The
hybrid
scenario
flushing
that
out
and
how
those
keys
are
delegated
we'll
address
the
delegate
key
generation,
but
the
notary
essentially
becomes
the
more
of
the
like.
You
have
a
root
key.
A
How
is
that
root
key
available
to
people
that
are
deploying
to
know
that
this
is
the
root
key
for
this
publisher,
and
I
think
there
will
want
to
list
out
what
the
scenarios
are
right,
because
there's
going
to
be
cases
where
that's
a
that's,
a
private
notary
server
being
used
within
an
organization,
it
could
be
a
public
notary
server
where
you
know
you're,
sharing
sort
of
like
anyone.
That's
you
know,
publishing
containers
publicly.
A
There
can
be
notary
servers
that
potentially
are
hosted
in
air
gap
regions
right.
So
I
think
the
this
is
one
where
I
want
to
go
back
to
the
larger
group
and
and
kind
of
go
with
this
proposal
of
what
the
notary
server
is
changing
into,
because
the
nordi
server
today
is
hosting
all
these
signatures,
which
I
don't
think
is
needed.
A
It
really
needs
to
become
more
of
a
root,
key
store
and
a
revocation
list
store
right,
and
then
I
think
the
the
point
you're
bringing
in
is
the
delegate
key
generation,
which
I
think
goes
into
the
hybrid
scenario
and
that's
one
of
the
things
I
think
we
want
to
flush
out,
because
I
have.
I
actually
have
I'd,
also
like
to
get
your
thoughts
on
sort
of
like
you
know,
when
we
do,
for
example,
the
local
key
store
right.
A
Are
we
go?
Are
we
saying
that,
like
you
know
we're
going
to
allow
root
keys
to
be
stored
in
plain
text,
or
do
we
want
to
actually
kind
of
specify
a
key
store,
because
then
that
key
store
can
become
part
of
how
the
key
management
is
done
right?
We
can
specify
and
say
that
if
you
store
your
root
key,
this
way
put
some
access
control
in
front
of
it
and
then
all
of
a
sudden,
you
have
a
system
that
you
can
use
for
delegating
keys
from
there.
B
So
yeah,
what
I
was
thinking
is,
if,
if
so
so,
I
am
just
talking
about
the
web
interface
makes
it
more
tangible,
especially
for
users
or
people
who
need
to
use
this
in
a
bigger
organization.
Who
are
not
that
deep
into
the
topic.
B
So
let's
say
we
have
a
web
application
which
integrates
with
the
the
enterprise
single
sign-on
system.
Based
on
that
this
web
application,
we
can
define
some
role-based
access,
control
on
different
features,
and
there.
A
B
People
can
just
define
okay,
for
this
repository
a
b
and
c
is
allowed
to
publish
images,
so
that
could
be.
C
B
Jobs
but
also
individual
individual
developers,
and
similarly,
we
should
also
be
able
to
remove
those
keys
and
yeah
to
prevent
that
anyone
randomly
creates
those
repository
keys.
We
could,
for
example,
limit
that
to
some
kind
of
admin
user
who
who
takes
care
of
the
that
part,
so
that
allows
us.
A
Yeah,
I
call
that
out
in
the
keyboard,
listen
and
revocation
use
cases
with
that.
I
think
what
I
need
to
kind
of
add
in
now
is
elaborate
publisher
to
not
just
publisher,
but
in
some
cases
you
have
an
admin
user
and
you
have
a
delegate
user
right.
B
Yeah,
so
the
the
admin
user
is
more
or
less
someone
who
is
able
to
create
target
keys,
maybe
root
keys
depending
on
what
the
strategy
is.
Currently,
we,
we
just
use
a
single
root
key
for
a
registry,
so
for
a
internal
registry
we
deploy
this
web
application.
We
have
as
we
we
didn't
made
it
in
such
way,
yet
that
we
can
support
multiple
registries
with
another
ev2
that
probably
isn't
required,
because
the
the
keys
will
be
reusable
across
registries.
B
Publisher
side,
but
what
I'm
still
not
entirely
or
what's
still
not
entirely
clear
to
me,
is
what
what
happens?
Let's
say
I
I
now
register
which
keys
and
which
allegations
are
are
in
place.
B
That's
registered
against
this
single
notary
server,
because
whenever
I
create
those
keys,
we
also
communicate
with
another
reservoir.
So
it's
known
to
the
notary
server,
but.
C
B
What
if
I
now
have
this
internal
server
or
this
internal
notary
server?
B
How?
How
do
we
sync
up
different
notary
servers?
Maybe
air
gapped,
so
people
can
still
use
it.
So
so,
let's
say
in
our
development
environment
we
pretty
often
need
access
to
docker
hub,
because
some
of
our
images
depend
on
images
from
docker
hub,
but
in
the
runtime
environment,
where
we
run
our
products,
we
might
just
want
to
only
run
against
this
private
registry,
where
we
have
published
our
own
images.
A
Right,
I
think
the
the
the
part
about,
like
the
delegate
key
chaining
to
the
root
that
information
should
be
part
of
the
signature
right.
A
B
So
the
solution
there
is
more
or
less
like
how
it
works
with
with
tls
certificates.
For
for
securing
your
your
https
traffic.
Is
it
that.
D
B
We
are
going
to
treat
these
root
certificates
and
maybe
an
additional
layer
of
root
certificates,
just
like
you
have
certificate
authorities,
intermediate
certificates,
etc,
and
that
we
installed
those
certificates
like
the
root
certificates
intermediates.
We
installed
that
on
the
system
and
then,
by
definition,
everything
created
underneath
that
structure
is
trusted.
A
Right-
and
I
think
I
put
in
like
a
let's-
see
whether
we
wanted
to
do
this-
where
we
wanted
the
intermediates.
That's
an
open
question
that
I
had
for
line
62
in
terms
of
like
you
know.
Do
we
envision
having
this
would
be
would
be
useful
because
the
question
here
comes
in,
like
you
know,
what's
the
guidance
that
we
give
like
you
know,
just
create
a
new
route
or
create
a
subordinate.
A
I
think
subordinate,
like
from
large
organization
perspective,
makes
a
lot
of
sense,
because
then
you
have
different
levels
of
control,
right,
yeah,
and
so
I
kept
moving
up
an
item
because
I
I
didn't.
I
wanted
to
get
some
additional
feedback
on
that,
but
yes
you're
absolutely
right.
I
think
that's
the!
I
think
that
the
signature
validation,
independent
of
registry-
you
can
do
this.
B
A
A
Where
you
know,
if
you
want
to
use
sort
of
like
a
public
cert
issuance,
you
could
potentially
go
leverage
one
of
those
to
also
kind
of
get
certificates
and
use
that,
as
as
a
spending
mechanism
as
well.
B
Yeah
exactly
because
in
our
research
department
I
have
also
been
looking
at.
For
example,
let's
say:
if
you
want
to
use
modern
technologies
like
http,
server,
push
or
grpc
kind
of
services
you
you
need
to
run
them
on
tls,
but
the
problem
or
the
difficulty
with
many
of
the
development
teams
is
they
they
don't
know
how
to
get
certificates
or
you
have
to
struggle
with
these
self-signed
certificates,
which
are
not
trusted
everywhere.
B
C
B
You
basically
allow
people
to
self-manage
their
certificates,
so
you
could
say:
okay
developers
are
allowed
to
issue
new
certificates
for
for
development,
so
for
ci,
but
also
for
local
development
on
their
own
laptop
and
those
certificates
because
they
are
signed
by
the
intermediate
and
the
the
upper
root
certificate
are
automatically
trusted
in
your
browser.
So
those
kind.
B
They
can
self-manage,
but
production
certificates-
that's
just
a
small
set
of
company
administrators
who
can
create
those
kind
of
certificates.
So
we
were
thinking
about
making
this
more
or
less
self-managed.
B
So
then,
I
also
looked
into
let's
encrypt
and
the
acme
protocol
like
how
you
can
automate
retrieval
of
those
certificates
and
renewal
and
those
kind
of
things.
B
So
now
we
we
are
talking
about
moving
more
or
less
into
this
tls
certificate
kind
of
approach.
I
was
thinking,
wouldn't
it
be
smart
if
we
would
integrate
with
this
acme
protocol,
where
you
can
also
benefit
from
from
automation
and
standardized
apis
which
which
are
already
there
done
by
let's
encrypt
and
and
others.
A
So
there
are
some
concerns
with
acme
and
I
think
that's
one
we
can
discuss
further.
I
think
that's
actually
worth
a
conversation
in
terms
of
what
are
the
kind
of
automations
we'd
want
to
put
in
place,
and
there
could
potentially
be
things
in
terms
of
like
you
know,
whichever
domain,
you
trust
things
like
that
and
there's
a
few
different
approaches
to
that,
like
you
could
do
it
through
automation,
from,
for
example
like
if
you
were
trusting
domains,
you
can
do
that
through
domain
validation.
A
You
can
do
that
through
email
validation
as
well.
If
you
wanted
to
do
sort
of
like
email,
validated
certs,
there's
a
few
different
mechanisms
to
do
that,
but
I
think
yes
you're
absolutely
right
like
exploring
the
different
automation
options
and
seeing
if
any
one
of
those
would
make
sense,
I
think
that's
something.
B
C
B
C
A
Right,
I
think
they're,
the
one
other
component
that
does
come
in
through
some
things
like
that
is
you'd
also
need
to
get
a
timestamp
signature
on
that,
and
so
that
timestamp
signature
would
need
to
get
created
outside
of
the
of
the
the
build
pipeline
right
out
of
the
outside
of
the
ci
system
for
the
certificate
time
to
be
trusted.
A
So
I
think
that's
that
kind
of
automation
could
make
sense.
I
think
that's
one
where,
let's
add
those
two
ideas
to
like,
so
I
think
the
first
one
is
the
automation
and
then
getting
certs
from
sort
of
like
a
public
ca
and
then
the
second
one
that
we
were
looking
at
would
be
making
sort
of,
like
you
know,
short
lived
search.
That
makes
sense
for
sort
of
like
the
ci
cicd
pipelines
ray
and
then
the
short
list
starts.
A
I
think
they
add,
in
sort
of
like
an
external
time,
stamp
requirement
to
make
sure
that
you
trust
the
the
the
validity
period
like
signature
was
generated
during
the
validity
period.
I
think
those
are
both
things
that
we
can
have
a
wider
discussion
on
for
the
automation
for
the
next
meeting
that
we
have
I'll
I'll
come
up
with
the
short
presentation
on
the
the
different
mechanisms
we
have
for
that.
So
I
know
that
we
can
do
sort
of
like
domain-based
challenges.
A
A
You
also
need
to
now
own
a
domain
right,
and
so
whether
we
want
to
go
down
the
road
of
domains
or
emails,
I
think
there's
a
few
different
options
we
can
explore.
I
I
want
I'll
bring
in
sort
of
like
a
more
exhaustive
list
and
we
can
run
through
those
automation,
options
and
see
which
ones
make
sense.
B
Yeah
yep
yeah,
I
think
for
for
the
rest.
I
think
the
the
list
is
pretty
complete,
which
you
you
are
showing
in
this
pr
yeah.
So
the
thing
we
are
mainly
concerned
about
is:
how
do
we
manage
those
keys?
How
do
we
also
revoke
people
when,
when
they
are
leaving
the
company
or
switching
departments,
so
from
that.
C
B
B
A
So
I
think
what
I'll
do
today
is
add
in
what
the
notary
server
like
what
role
it
is
serving
here
and
kind
of
what
the
key
management
component
is
serving
for
within
the
publishing
environment.
B
Right
should
just
be
a
client
on
top
of
the
notary
server
to
to
create
those
certificates,
so
currently
notary
or
docker
trust
they
they
store
that
in
this
local
folder.
That's.
B
We
did
with
this
web
application,
so
this
web
application
has
its
own
local
folder,
where
the
keys
are
stored.
Currently,
depending
on
on
time,
I
I
can
get
for
that.
I
I
could
also
do
small
poc
to
store
the
keys
in
in
hashicorp
vault,
for
example,
yeah,
and
for
that
you
already
have
a
lot
of
items
in
this
list
like
defining
an
interface,
so
so
cloud
providers
can
can
implement
their
own
storage
yeah.
B
I
I
think
that
is
that's
already
covered
yeah
and
the
other
thing
we
are
currently
investigating
is
what,
if
a
developer
loses
his
delegation
key,
he
was
the
last
guy
who
signed
the
image.
How
do
we
do
the
rotation
and
replace
that
key?
So
so
we
can
still
continue
to
release
images.
A
Okay,
I
think
those
are
all
great
suggestions.
I'm
gonna
get
those
in
by
noon
and
share
it
in
the
slack
channel
and.
A
B
I
guess
so
let
me
check
the
calendar.
Do
you
know
the
the
time
for
that
meeting.
B
That's
7
p.m.
So
it
depends
if
my
wife
has
to
work
she
works
with
shifts,
so
I
have
to
take
care
most
of
these
times.
I
need
to
take
care
of
my
kid,
which.
B
It's
kind
of
the
time
she
needs
to
go
to
bed.
So
then.
A
Okay,
I'll
go
ahead
and
sort
of
like
if
there's
any
takeaways
from
that.
We
can
summarize
that
and
kind
of
discuss
that
on
the
friday
meeting
again
in
terms
of
next
steps.
But
thanks
for
the
feedback.
B
B
So
do
we
also
need
to
update
a
heck
of
the
meeting
notes.
A
C
A
There's
a
pen
icon,
I
think,
on
the
left
side,
let
me
actually
copy
the
meeting
template.
C
By
the
way
I
just
joined,
I'm
sorry
for
being
late,
we
had
a
tap
plus
like
standardization
meeting
that
took
the
full
amount
of
time,
and
then
some
it
sounds
like
you
guys
might
be.
Wrapping
up.
Is
that
correct.
A
Well,
the
meeting
was
scheduled
for
a
full
hour.
I
think
marco
usually
needs
to
hop
off,
but
I
think
trishank
was
supposed
to
join
late
as
well,
so
I
can
actually
stay
on
for
the
full
hour
and
go
through
that.
So
what
I'm
essentially
doing
is
right
now
is
I
put
out
a
pull
request,
so
I
was
getting
feedback
on
that.
If
you
want
to
read
through
the
pull
request,
we
can
go
through
it
and
I'll
make
some
revisions,
then
for
the
audience
on
monday.
C
Great
okay
had
mentioned
he
was
planning
to
join
this
call,
so
I
expect
I'll
we'll
see
him
in
a
minute
or
two
but
yeah
that
would
be
great
where's.
The
is
this
posted
in
the
notary,
youtube,
channel
or
where's.
The
document
that
we're
looking
at.
B
Unfortunately,
so
estonia
do,
we
did
you
take
notes
on
the
feedback
and
feedback
I
I
gave
or.
A
C
A
Sure
I
think
whatever
is
easiest
like
if
you
want
to
read
for
the
whole
one
and
then
we
can
go
through
questions
or
whatever's
easier.
It's
like
I
initially
had
planned
on
sharing
this
doc
before
the
meeting
which
I
didn't
get
unfortunately
get
a
chance
to
so
either
works
for
me.
C
I
guess
like
one
of
the
big
questions
I
have
relates
to
you,
you
talk
about,
like
publisher,
shares
the
key
and
to
me
that's
like
a
big
there's
like
a
big
question
about
how
that
sharing
happens
and
who
it's
shared
with,
and
why
someone
trusts
that
they're
getting
the
right
public
key.
A
Yeah,
I
completely
get
that
question
and
I
think
that's.
One
of
the
conversations
I
want
to
have
with
the
group
is
identifying
what
that
sharing
mechanism
is
right,
because
what
we're
essentially
trying
to
get
to
is
how
does
a
publisher
identify
themselves
to
a
deployer
without
really
having
to
rely
on
a
registry
right?
A
Essentially,
what
this
is
saying
is
that
in
the
signing
environment,
these
are
the
tasks
that
we
need
to
take
care
of
and
in
the
deployment
environment.
Here
are
the
tasks
we
need
to
take
care
of,
and
then
the
part
that
we
need
to
still
flush
out
a
little
bit.
More
is
what
does
that
sharing
mechanism?
Look
like
that
answer.
The
question.
C
It
does
in
part
it's
great
because
it's
one
of
those
answers
that
that
wants
me
makes
me
want
to
ask
like
four
other
questions.
So
it's
like
it
was
perfect.
C
The
I
guess,
like
you
talked
before
about
like
the
the
previous
model,
using
something
where
the
like.
Basically,
you
said
it
was
signatures
rather
than
keys
in
in
the
previous
tough
model,
and
can
you
just
tell
me
a
little
about
what
you
mean
there.
A
So
with
the
notary,
v1
right,
you
are
when
you're
querying
the
notary
server,
you
are
getting
a
as
I
understand
the
implementation.
A
You
are
getting
all
the
different
sort
of
signature
files
right
or
the
the
target
json
the
root
json,
the
timestamp
json
right.
So
those
are
all
analogous
to
certificates
and
signatures.
A
I
think
the
shift
that
would
make
a
little
bit
more
sense
is
if
you
move
more
into
the
model
of
trusted
roots
and
trusted
intermediates
and
have
the
individual
signatures
for
the
images
be
transported
with
the
containers
themselves
right
and
so
that's
kind
of
like
what
I
was
envisioning
would
make
the
the
container
image
sharing
much
more
easier
in
the
sense
that
the
the
the
signature
for
the
container
itself
would
move
with
the
container.
A
But
then
the
the
trust
sort
of
like
roots
and
intermediates
and
revocation
lists
would
leave
live
more
in
sort
of
like
the
centralized
service.
If
you
will.
B
C
Okay,
yeah
there's
there
tend
to
be
a
lot
of
operational
problems
with
that
model,
with
respect
to
like
there's
a
reason
why
we
didn't
go
that
route
with
with
tough.
C
But
I
want
to
like
trish
chunk
has
now
joined,
and
I
wanted
to
have
a
like
a
little
more
of
an
understanding
like
what
the
advantage
is
of
of
what
you
like
of
the
way
in
which
you're
describing
things,
because
if
you
link,
if
you
like
embed
signatures
in
some
way
in
more
directly
in
the
oci
metadata,
then
this
has
a
whole
bunch
of
potential
downsides.
C
In
that
you
can't
really
have
multiple
people
sign
the
same
thing
and
the
signatures
are
also
separated
from
many
contexts
about
the
party
doing
the
signing,
and
so
you
always
have
to
have
some
way
to
link
that
back
to
the
like
to
understand
why
you
should
trust
this
party
and
how
you
should
trust
them.
C
The
kind
of
I
think
the
the
problem
you're
trying
to
solve,
with
with
like
sharing
the
keys
and
like
a
lot
of
the
issues
related
to
revocation,
I
I
think,
are
a
lot
harder
to
do
in
in
the
sort
of
tls
model,
because
it
wasn't
really
built
with
revocation
as
a
first
class
primitive.
C
C
Okay,
since
this
is
my
first
time
joining
this
group
and
I'm
aware,
like
I
feel
very
much
like
I'm
stepping
into
like
you
guys
backyard
and
talking
trash,
and
I
don't
I'm
not
trying
to
do
that.
I
I
just
want
to
I.
I
really
am
just
trying
to
understand
what's
going
on
here.
Maybe,
since
you've
been
more
engaged,
you
can
you
can
discuss
and
talk
about
what
the
key
management
scenarios
document
and
stuff
in
a
better
way
than
I
can.
D
Yeah
sure,
unfortunately,
I
just
walked
into
the
meeting
myself.
This
is
actually
my
first
time
joining,
and
so
I'm
I'm
also
missing
some
context
as
you
are.
I
do
agree
with
your
point
about
mapping
signatures
to
roles
rather
than
files
themselves,
because
you're
missing
contacts
about
who
did
what
that's
the
first
thing
I
do
agree.
D
The
second
thing
is
again:
I
I
don't
want
to
talk
without
missing
by
missing
having
missed
a
lot
of
contacts,
but
when
I
hear
things
like
revocation
lists,
I
get
slightly
worried
because
that
hasn't
worked
out
well
in
tls,
as
we've
all
seen.
Nobody
actually
checks
for
the
revocation
because
it's
very
expensive
the
way
it's
commonly
done,
so
nobody
really
effectively.
Does
it.
So
if
we
can
do
better,
that
would
be
great.
That's
all.
A
I
I
agree
with
that
feedback
and
I
think,
in
terms
of
setting
context,
this
is
really
the
first
time
we're
looking
at
this
more
detailed
doc,
and
so
please,
like
you,
know,
go
through
it,
and
all
of
this
feedback
is
welcome.
I
think
the
goal
here
really
is
to
kind
of
come
up
with
something
that
works
at
scale.
A
Obviously,
and
revocation
is
obviously
one
of
the
tricky
parts
when
you
go
into
sort
of
like
a
sort
of
like
trusted,
root,
configured
model
right
rather
than
sort
of
like
having
the
entire
sort
of
like
signature
map
available,
so
I
think,
there's
trade-offs
on
either
side.
I
think
the
question
here
is
really
highlighting
these
trade-offs
and
identifying
what
makes
sense.
So
I
think
any
of
the
feedback
here
is
absolutely
welcome.
A
The
way.
The
approach
that
I
was
kind
of
thinking
of
this
more
was
triggered
less
around
sort
of
like
you
know.
Yes,
the
roles
do
matter.
I
think
here
the
roles
are
classified
more
in
terms
of
the
the
roots
and
the
intermediates
that
is
telling
you
who
actually
signed
the
artifact
in
terms
of
like
you
know
whether
you're
trusting
a
company,
in
which
case
you
might
trust
a
root.
A
If
you're
trusting
sort
of
like
individual
developers,
those
could
be
individual
intermediates,
we
can
go
up
and
down
the
tree
and
sort
of
like
you
know,
make
this
as
complicated
or
as
simple
as
sort
of
like
you
know.
The
use
cases
require
the
part
about
sort
of
like
the
signature
kind
of
being
available
with
the
artifact
makes
the
validation
somewhat
easier
in
the
sense
that
you
know,
if
you
have
a
a
trust
root
configuration.
A
That's
worked
for
a
lot
of
other
code,
signing
use
cases
as
well
right,
and
I
think
the
question
here
is
in
terms
of
comparison.
What
do
we
gain
by
either
model?
And
what
are
the
changes
I
think
part
of
where
we
want
to
take?
This
is
one
the
core
requirements
that
come
in
is
that
the
notary
server
needs
to
be
independent
of
registries.
So
you
could
use
the
same
notary
across
multiple
registries
and
the
other
part
of
it.
A
I
think
that's
the
core
requirement
is
you
know
the
the
aspect
of
like
you
know,
notary
servers,
potentially
being
private
and
public
and
being
accessible.
A
I
think
outside
of
that,
how
the
pki
is
set
up,
how
the
signatures
are
set
up,
I
think,
is
something
that's
open
for
discussion,
so
this
is
kind
of
like
I
think,
like
a
starting
point,
so
I'd
like
to
get
sort
of
like
pushback
in
terms
of
like
what
we
see
as
the
concerns
here
and
how
those
are
potentially
addressed
in
something
in
more
potentially
like
even
a
hybrid
solution,
if
you
will,
but
if
we
start
from
there.
A
D
Yeah,
that
is,
that
is
wonderful.
Thank
you.
In
fact,
some
of
some
of
your
use
cases
you
talked
about,
such
as
trust
roots,
choosing
on
the
level
of
the
whole
registry
or
particular
developers
or
the
company
level,
are
interesting.
These
are
actually
some
questions
that
we
have
explored
recently
ourselves.
We
just
got
off
on
a
call
about
one
of
these
features
and,
and
it's
a
fair
question
about
what
we
gain
by,
not
so
by
associating
signatures
directly
with
files,
instead
of
different,
different
different
roles
right
this
sort
of
indirection.
D
D
B
A
B
So
I'll
have
to
drop
off
now,
but
yeah
just
keep
me
posted
I'll,
just
check
slack
on
a
daily
basis
and
if
anything
is
required
for
my
sites.
Just
let
me
know.
D
D
A
Yes,
if
you
can
provide
comments
there,
we
can
go
through
that
that
way.
We
also
have
a
record
of
like
you
know
what
the
feedback
we
got
and
make
sure
that
those
are
being
addressed
as
we
go
through
god,
thanks
yeah,
I
apologize
I
didn't
have
enough.
I
didn't
get
to
stop
then
early
enough,
where
I
could
share
it
earlier
in
the
slack
channel.
I'm
gonna
try
and
get
revisions
out
on
wednesdays,
going
forward.
C
So
so
one
thing,
I'm
I'm
also
kind
of
trying
to
wrap
my
head
around
here
and
I'm
sorry
if
I'm
like
this
might
seem
like
a
small
point,
but
maybe
it's
important.
Maybe
it's
not,
but
one
thing
I
really
like
you
say,
is
in
parentheses
a
lot
of
times.
You
say
what
you're
trying
to
achieve
by
doing
this
action,
like
a
publisher,
shares
the
root
public
key,
so
other
users
can
verify
the
containers
before
running
them.
C
But
really
you
know
your
goal
is
the
thing
in
parentheses
and
the
the
you
know
like
I'm,
I'm
not
I'm
not
saying
I
can
imagine
a
scenario
where
they
don't
have
to
have
the
key,
but
if
somehow
there
were
a
scenario
where
they
didn't
have
to
have
the
public
key.
To
achieve
that,
then
you
wouldn't
need
to
share
the
public
key,
for
instance,.
C
C
The
publisher
creates
new
delegate
keys
on
local
machine
that
change
a
root
key
step,
but
I
imagine
what
you're
trying
to
achieve
with
that
is
you're
trying
to
make
it
so
that
you
know,
like
someone,
has
the
ability
to
be
able
to
sign
for
parts
of
things,
and
you
also
have
the
ability
to
use
multiple
keys
that,
like,
for
instance,
different
developers
can
have
their
own
key.
C
Is
that
is
that
right?
Or
do
you
see
what
I
mean
because,
like
some
of
these,
I
can
understand
directly
the
the
reason
for
this,
and
some
of
these-
I,
I
guess-
and
I
might
guess
correctly,
but
I'm
I'm
not
sure,
I'm
guessing
right.
A
No,
that's
actually
a
good
call
out.
I
think
part
of
this
was
something
that
I
did
want
to
talk
about
in
this
group.
Should
we
actually
prevent
signing
of
container
images
with
the
root
keys,
because
the
root
key
is
essentially
translating
into
a
root
identity
right
and
if
the
root
key
is
readily
available,
then
potentially
it
is
something
that
could
be
easily
compromised.
A
A
So
one
of
the
things
that
I
was
kind
of
thinking
about
here
was
that
you
know
if
we
come
up
with
a
key
architecture
where
the
root
key
is
not
something
you
can
use
to
sign
images
with,
and
you
potentially
have
to
use
a
delegate
key
for
signing.
A
One
of
the
things
we
could
potentially
leverage
here
is,
we
could
add
in
a
key
store
requirement
where
right
now,
I
believe
in
notary
the
keys
are
kept
in
a
folder
rather
than
that
could
be
potentially
used
like
a
java
key
store
or
some
other
key
store,
where
you're
at
least
adding
some
level
of
protection
where
they're
not
like
readily
available,
and
if
the
root
key
isn't
being
frequently
used.
A
Then
really,
you
know
it's
really
the
delegate
key
that
if
you
potentially
gets
compromised,
in
which
case
in
case
you
could
just
you
know,
rotate
that
create
a
new
delegate
key
and
use
that,
and
so
that's
kind
of
like
where,
where
I
was
thinking
about
that,
where
we
would
now
actually
require
everyone
to
kind
of
use,
a.
C
Yeah
that
that
makes
a
lot
of
sense
and
also
how
you
do
that
rotation
securely,
and
things
is
also
really
tricky
to
do
right.
C
It's
something
like
we
we've
seen
a
lot
of
big
organizations
where,
basically,
they
just
push
an
update
sign
with
the
old
key
to
try
to
rotate
the
key
out
when
it's
compromised,
and
the
problem
is
that
the
attacker
already
has
the
old
key
too.
So
you
know
that's
not
not
great,
to
put
it
mildly,
yeah.
C
But
why
why
they
want
to
do
something
like
this,
because
I
think
it's
it's
easier
than
for
us
to
go
and
see
like,
like
the
immediate
thing
I'm
trying
to
do
here
is
to
try
to
reason
about,
like
you
know,
a
hypothetical
design
that
would
do
this.
That
used
like
metadata
on
the
oci
images
and
use
something
like
tls
to
try
to
do
key
management
versus
doing
something
like
tough
and
I'm
trying
to
figure
out
like
where
the
gaps
are
in
the
solutions.
C
And
it's
it's
kind
of
hard
to
do
that
in
places.
Because
some
of
this
is
written.
I
think
with
them
with
a
design
in
mind,
rather
than
the
outcome.
A
I
think
that's
actually
a
fair
call
out.
I
think
I
can
actually
elaborate
on
why
these
different
steps
are
being
taken.
A
They're
accomplishing
and,
like
frankly,
like
you
know,
if
there's
a
better
story
for
getting
the
revocation
information
out
in
terms
of
liking,
if
you're
able
to
lock
down
roots
and
there's
some
sort
of
like
signed
metadata,
that's
going
out
like
you
know
the
same
way
that
the
tough
sort
of
like
framework
currently
works.
I
think
there's
potentially
a
hybrid
there
and
I
think
you've
actually
called
that
one
of
the
concerns
that
we
had
with
notary
v1,
where
to
get
a
root
rotation.
A
You
have
to
sign
with
the
old
group
right,
and
so
if
that
route
was
compromised,
I
agree
with
you
there.
That's
not
the
best
solution,
and
so
I
think,
really
kind
of
teasing
it.
Apart
like
what
does
a
group
revocation
look
like
versus
what
does
a
delegate
revocation
look
like,
I
think,
if
we
can
build
in
sort
of
like
automation,
where
you're
not
necessarily
having
to
go
to
a
crl,
to
kind
of
do
that,
like
that's
great,
and
so
I
think
I
will.
A
What
I'll
do
as
a
next
step
here
is,
is
adding
some
of
the
motivations
and
I
think,
you're
absolutely
right
like
that,
will
make
that
conversation
much
easier.
What
I'm
gonna
do
is
we
only
have
like
a
few
minutes
left.
A
I
I'm
gonna,
take
in
sort
of
like
the
suggestions,
I've
gotten
here
and
and
and
make
some
changes
to
the
pull
request
and
push
it
out
today
and
then
I'm
gonna
ask
steve
for
like
30
minutes
on
the
monday
meeting
to
kind
of
go
through
additional
comments
and
stuff,
and
I
think
that'll
be
a
more
fruitful
discussion.
A
Awesome.
Okay,
yeah
was
there
any
other
comments
that
come
up
and
that
I
could
potentially.
D
C
A
A
Yeah,
I'm
gonna
post
in
the
slack
channel
once
I
have
the
comments
added
in
so
feel
free
to
take
a
look
at
the
request.
After
those
written.
C
Yeah
we're
sorry
that
we
were
late.
We
will,
you
know,
we'll
try
to
arrange
things
in
the
future
so
that
we
don't
overlap
with
us.
We
can
make
this
meeting.
A
Yeah
no
worries,
I
think
I
have
to
change
the
meeting
in
my
time
as
well.
I
think,
like
marco's,
been
pretty
interested
in
the
key
management
side
of
things
as
well.
So
I
think
7
30
to
8
30
pacific
time
seems
to
work
for
people
that
are
most
interested
in.
D
A
A
So
we'll
keep
this
hour
going,
but
thanks
for
coming
in
and
giving
the
feedback,
I
think
all
of
it's
very
useful.
C
Thank
you
for
being
so
gracious
about
it
as
well.
Awesome
all
right!
Well,
we'll
see
you
in
the
next
meeting.
Hopefully
all
right
sounds
good.
Have
a
good
weekend
see.