►
From YouTube: CNCF Notary v2 Key Management 2020-07-17
Description
CNCF Notary v2 Key Management 2020-07-17
A
A
B
And
I
have
one
question
so
so
in
our
use
case
with
with
the
current
notary
v1,
we
are
also
looking
at
something
like
a
self-service
portal
or
something
like
that,
where
teams
can
create
our
repositories
and
the
and
the
keys
belonging
to
those
as
well
authorizing
or
deauthorizing
delegations.
At
first
sight.
I
don't
see
this
back
in
in
these
key
management
scenarios.
A
A
B
C
A
They
can
also
define
registry
independent
keys,
so,
like
they'll,
say
here's
the
keys
that
I
trust,
and
regardless
of
whichever
registry
you're
pulling
containers
from
you
can
validate
against
that.
I
think
this
enables
us
to
do
things
like
migrate
containers
from
one
registry
to
another.
I
think
you
know,
as
I've
been
fleshing
out
some
of
these
use
cases,
what
it's
kind
of
making
it
more
clear
for
me
is
what
does
the
rather
than
the
key
management
service?
B
A
I
think
that's
one
where
we
will
want
to
define
more
on
what
the
functionality
of
the
key
management
service
turns
out
to
be
right,
like
I
think
here,
there's
a
few
different
options
on
creating
delegate
keys.
I
think
this
comes.
This
is
something
we'll
need
to
flush
out
more
in
terms
of
how
are
those
delegate
keys
created
right
right
now?
A
A
And
I
think
that's
one
where
the
key
store
kind
of
matters
in
the
sense
that
if
the
delegate
keys
are
being
stored
on
local
machines,
in
terms
of
like
the
hybrid
scenario,
then
really
it's
a
matter
of
wherever
the
root
public
keys
are
being
stored,
that
you
can
get
the
the
you
haven't.
You
have
access
to
kind
of
go,
get
those
signed
to
get
whatever
you
need
sign
for
delegate
key
to
be
chained
to
the
root
key,
so
I
can
add,
I
think,
some
steps
in
there
that
calls
out.
A
A
B
B
A
I
think
the
the
key
management
aspect
of
it
may
not
necessarily
be
done
through
notary.
I
think
the
key
man
as
in
sort
of
like
what
what's
traditionally
been
considered,
the
notary
server
right.
The
key
management
would
be
something
that's
more
of
like
a
publisher,
only
solution
right,
because
it's
and
by
publisher
I
mean
everyone,
that's
involved
in
sort
of
like
building
and
getting
a
container
into
a
registry
right
notary
would
be
something
that
you
need
for
communication
between
the
publisher
and
the
deployer.
A
B
A
A
How
is
that
root
key
available
to
people
that
are
deploying
to
know
that
this
is
the
root
key
for
this
publisher,
and
I
think
there
will
want
to
list
out
what
the
scenarios
are
right,
because
there's
going
to
be
cases
where
that's
a
that's,
a
private
notary
server
being
used
within
an
organization,
it
could
be
a
public
notary
server
where
you
know
you're,
sharing
sort
of
like
anyone.
That's
you
know,
publishing
containers
publicly.
A
There
can
be
notary
servers
that
potentially
are
hosted
in
air
gap
regions
right.
So
I
think
the
this
is
one
where
I
want
to
go
back
to
the
larger
group
and
and
kind
of
go
with
this
proposal
of
what
the
notary
server
is
changing
into,
because
the
nordi
server
today
is
hosting
all
these
signatures,
which
I
don't
think
is
needed.
A
It
really
needs
to
become
more
of
a
root,
key
store
and
a
revocation
list
store
right,
and
then
I
think
the
the
point
you're
bringing
in
is
the
delegate
key
generation,
which
I
think
goes
into
the
hybrid
scenario
and
that's
one
of
the
things
I
think
we
want
to
flush
out,
because
I
have.
I
actually
have
I'd,
also
like
to
get
your
thoughts
on
sort
of
like
you
know,
when
we
do,
for
example,
the
local
key
store
right.
A
Are
we
go?
Are
we
saying
that,
like
you
know
we're
going
to
allow
root
keys
to
be
stored
in
plain
text,
or
do
we
want
to
actually
kind
of
specify
a
key
store,
because
then
that
key
store
can
become
part
of
how
the
key
management
is
done
right?
We
can
specify
and
say
that
if
you
store
your
root
key,
this
way
put
some
access
control
in
front
of
it
and
then
all
of
a
sudden,
you
have
a
system
that
you
can
use
for
delegating
keys
from
there.
B
B
A
C
B
A
B
Yeah,
so
the
the
admin
user
is
more
or
less
someone
who
is
able
to
create
target
keys,
maybe
root
keys
depending
on
what
the
strategy
is.
Currently,
we,
we
just
use
a
single
root
key
for
a
registry,
so
for
a
internal
registry
we
deploy
this
web
application.
We
have
as
we
we
didn't
made
it
in
such
way,
yet
that
we
can
support
multiple
registries
with
another
ev2
that
probably
isn't
required,
because
the
the
keys
will
be
reusable
across
registries.
B
B
C
B
How?
How
do
we
sync
up
different
notary
servers?
Maybe
air
gapped,
so
people
can
still
use
it.
So
so,
let's
say
in
our
development
environment
we
pretty
often
need
access
to
docker
hub,
because
some
of
our
images
depend
on
images
from
docker
hub,
but
in
the
runtime
environment,
where
we
run
our
products,
we
might
just
want
to
only
run
against
this
private
registry,
where
we
have
published
our
own
images.
A
B
D
B
We
are
going
to
treat
these
root
certificates
and
maybe
an
additional
layer
of
root
certificates,
just
like
you
have
certificate
authorities,
intermediate
certificates,
etc,
and
that
we
installed
those
certificates
like
the
root
certificates
intermediates.
We
installed
that
on
the
system
and
then,
by
definition,
everything
created
underneath
that
structure
is
trusted.
A
Right-
and
I
think
I
put
in
like
a
let's-
see
whether
we
wanted
to
do
this-
where
we
wanted
the
intermediates.
That's
an
open
question
that
I
had
for
line
62
in
terms
of
like
you
know.
Do
we
envision
having
this
would
be
would
be
useful
because
the
question
here
comes
in,
like
you
know,
what's
the
guidance
that
we
give
like
you
know,
just
create
a
new
route
or
create
a
subordinate.
A
I
think
subordinate,
like
from
large
organization
perspective,
makes
a
lot
of
sense,
because
then
you
have
different
levels
of
control,
right,
yeah,
and
so
I
kept
moving
up
an
item
because
I
I
didn't.
I
wanted
to
get
some
additional
feedback
on
that,
but
yes
you're
absolutely
right.
I
think
that's
the!
I
think
that
the
signature
validation,
independent
of
registry-
you
can
do
this.
B
A
B
Yeah
exactly
because
in
our
research
department
I
have
also
been
looking
at.
For
example,
let's
say:
if
you
want
to
use
modern
technologies
like
http,
server,
push
or
grpc
kind
of
services
you
you
need
to
run
them
on
tls,
but
the
problem
or
the
difficulty
with
many
of
the
development
teams
is
they
they
don't
know
how
to
get
certificates
or
you
have
to
struggle
with
these
self-signed
certificates,
which
are
not
trusted
everywhere.
B
C
B
You
basically
allow
people
to
self-manage
their
certificates,
so
you
could
say:
okay
developers
are
allowed
to
issue
new
certificates
for
for
development,
so
for
ci,
but
also
for
local
development
on
their
own
laptop
and
those
certificates
because
they
are
signed
by
the
intermediate
and
the
the
upper
root
certificate
are
automatically
trusted
in
your
browser.
So
those
kind.
B
B
So
now
we
we
are
talking
about
moving
more
or
less
into
this
tls
certificate
kind
of
approach.
I
was
thinking,
wouldn't
it
be
smart
if
we
would
integrate
with
this
acme
protocol,
where
you
can
also
benefit
from
from
automation
and
standardized
apis
which
which
are
already
there
done
by
let's
encrypt
and
and
others.
A
So
there
are
some
concerns
with
acme
and
I
think
that's
one
we
can
discuss
further.
I
think
that's
actually
worth
a
conversation
in
terms
of
what
are
the
kind
of
automations
we'd
want
to
put
in
place,
and
there
could
potentially
be
things
in
terms
of
like
you
know,
whichever
domain,
you
trust
things
like
that
and
there's
a
few
different
approaches
to
that,
like
you
could
do
it
through
automation,
from,
for
example
like
if
you
were
trusting
domains,
you
can
do
that
through
domain
validation.
A
You
can
do
that
through
email
validation
as
well.
If
you
wanted
to
do
sort
of
like
email,
validated
certs,
there's
a
few
different
mechanisms
to
do
that,
but
I
think
yes
you're
absolutely
right
like
exploring
the
different
automation
options
and
seeing
if
any
one
of
those
would
make
sense,
I
think
that's
something.
B
C
B
C
A
So
I
think
that's
that
kind
of
automation
could
make
sense.
I
think
that's
one
where,
let's
add
those
two
ideas
to
like,
so
I
think
the
first
one
is
the
automation
and
then
getting
certs
from
sort
of
like
a
public
ca
and
then
the
second
one
that
we
were
looking
at
would
be
making
sort
of,
like
you
know,
short
lived
search.
That
makes
sense
for
sort
of
like
the
ci
cicd
pipelines
ray
and
then
the
short
list
starts.
A
I
think
they
add,
in
sort
of
like
an
external
time,
stamp
requirement
to
make
sure
that
you
trust
the
the
the
validity
period
like
signature
was
generated
during
the
validity
period.
I
think
those
are
both
things
that
we
can
have
a
wider
discussion
on
for
the
automation
for
the
next
meeting
that
we
have
I'll
I'll
come
up
with
the
short
presentation
on
the
the
different
mechanisms
we
have
for
that.
So
I
know
that
we
can
do
sort
of
like
domain-based
challenges.
A
A
You
also
need
to
now
own
a
domain
right,
and
so
whether
we
want
to
go
down
the
road
of
domains
or
emails,
I
think
there's
a
few
different
options
we
can
explore.
I
I
want
I'll
bring
in
sort
of
like
a
more
exhaustive
list
and
we
can
run
through
those
automation,
options
and
see
which
ones
make
sense.
B
Yeah
yep
yeah,
I
think
for
for
the
rest.
I
think
the
the
list
is
pretty
complete,
which
you
you
are
showing
in
this
pr
yeah.
So
the
thing
we
are
mainly
concerned
about
is:
how
do
we
manage
those
keys?
How
do
we
also
revoke
people
when,
when
they
are
leaving
the
company
or
switching
departments,
so
from
that.
C
B
B
B
B
We
did
with
this
web
application,
so
this
web
application
has
its
own
local
folder,
where
the
keys
are
stored.
Currently,
depending
on
on
time,
I
I
can
get
for
that.
I
I
could
also
do
small
poc
to
store
the
keys
in
in
hashicorp
vault,
for
example,
yeah,
and
for
that
you
already
have
a
lot
of
items
in
this
list
like
defining
an
interface,
so
so
cloud
providers
can
can
implement
their
own
storage
yeah.
B
A
B
A
B
A
C
C
A
Well,
the
meeting
was
scheduled
for
a
full
hour.
I
think
marco
usually
needs
to
hop
off,
but
I
think
trishank
was
supposed
to
join
late
as
well,
so
I
can
actually
stay
on
for
the
full
hour
and
go
through
that.
So
what
I'm
essentially
doing
is
right
now
is
I
put
out
a
pull
request,
so
I
was
getting
feedback
on
that.
If
you
want
to
read
through
the
pull
request,
we
can
go
through
it
and
I'll
make
some
revisions,
then
for
the
audience
on
monday.
C
A
C
A
A
Yeah,
I
completely
get
that
question
and
I
think
that's.
One
of
the
conversations
I
want
to
have
with
the
group
is
identifying
what
that
sharing
mechanism
is
right,
because
what
we're
essentially
trying
to
get
to
is
how
does
a
publisher
identify
themselves
to
a
deployer
without
really
having
to
rely
on
a
registry
right?
A
Essentially,
what
this
is
saying
is
that
in
the
signing
environment,
these
are
the
tasks
that
we
need
to
take
care
of
and
in
the
deployment
environment.
Here
are
the
tasks
we
need
to
take
care
of,
and
then
the
part
that
we
need
to
still
flush
out
a
little
bit.
More
is
what
does
that
sharing
mechanism?
Look
like
that
answer.
The
question.
C
C
A
A
B
C
C
Okay,
since
this
is
my
first
time
joining
this
group
and
I'm
aware,
like
I
feel
very
much
like
I'm
stepping
into
like
you
guys
backyard
and
talking
trash,
and
I
don't
I'm
not
trying
to
do
that.
I
I
just
want
to
I.
I
really
am
just
trying
to
understand
what's
going
on
here.
Maybe,
since
you've
been
more
engaged,
you
can
you
can
discuss
and
talk
about
what
the
key
management
scenarios
document
and
stuff
in
a
better
way
than
I
can.
D
Yeah
sure,
unfortunately,
I
just
walked
into
the
meeting
myself.
This
is
actually
my
first
time
joining,
and
so
I'm
I'm
also
missing
some
context
as
you
are.
I
do
agree
with
your
point
about
mapping
signatures
to
roles
rather
than
files
themselves,
because
you're
missing
contacts
about
who
did
what
that's
the
first
thing
I
do
agree.
D
The
second
thing
is
again:
I
I
don't
want
to
talk
without
missing
by
missing
having
missed
a
lot
of
contacts,
but
when
I
hear
things
like
revocation
lists,
I
get
slightly
worried
because
that
hasn't
worked
out
well
in
tls,
as
we've
all
seen.
Nobody
actually
checks
for
the
revocation
because
it's
very
expensive
the
way
it's
commonly
done,
so
nobody
really
effectively.
Does
it.
So
if
we
can
do
better,
that
would
be
great.
That's
all.
A
I
I
agree
with
that
feedback
and
I
think,
in
terms
of
setting
context,
this
is
really
the
first
time
we're
looking
at
this
more
detailed
doc,
and
so
please,
like
you,
know,
go
through
it,
and
all
of
this
feedback
is
welcome.
I
think
the
goal
here
really
is
to
kind
of
come
up
with
something
that
works
at
scale.
A
Obviously,
and
revocation
is
obviously
one
of
the
tricky
parts
when
you
go
into
sort
of
like
a
sort
of
like
trusted,
root,
configured
model
right
rather
than
sort
of
like
having
the
entire
sort
of
like
signature
map
available,
so
I
think,
there's
trade-offs
on
either
side.
I
think
the
question
here
is
really
highlighting
these
trade-offs
and
identifying
what
makes
sense.
So
I
think
any
of
the
feedback
here
is
absolutely
welcome.
A
The
way.
The
approach
that
I
was
kind
of
thinking
of
this
more
was
triggered
less
around
sort
of
like
you
know.
Yes,
the
roles
do
matter.
I
think
here
the
roles
are
classified
more
in
terms
of
the
the
roots
and
the
intermediates
that
is
telling
you
who
actually
signed
the
artifact
in
terms
of
like
you
know
whether
you're
trusting
a
company,
in
which
case
you
might
trust
a
root.
A
If
you're
trusting
sort
of
like
individual
developers,
those
could
be
individual
intermediates,
we
can
go
up
and
down
the
tree
and
sort
of
like
you
know,
make
this
as
complicated
or
as
simple
as
sort
of
like
you
know.
The
use
cases
require
the
part
about
sort
of
like
the
signature
kind
of
being
available
with
the
artifact
makes
the
validation
somewhat
easier
in
the
sense
that
you
know,
if
you
have
a
a
trust
root
configuration.
A
That's
worked
for
a
lot
of
other
code,
signing
use
cases
as
well
right,
and
I
think
the
question
here
is
in
terms
of
comparison.
What
do
we
gain
by
either
model?
And
what
are
the
changes
I
think
part
of
where
we
want
to
take?
This
is
one
the
core
requirements
that
come
in
is
that
the
notary
server
needs
to
be
independent
of
registries.
So
you
could
use
the
same
notary
across
multiple
registries
and
the
other
part
of
it.
D
Yeah,
that
is,
that
is
wonderful.
Thank
you.
In
fact,
some
of
some
of
your
use
cases
you
talked
about,
such
as
trust
roots,
choosing
on
the
level
of
the
whole
registry
or
particular
developers
or
the
company
level,
are
interesting.
These
are
actually
some
questions
that
we
have
explored
recently
ourselves.
We
just
got
off
on
a
call
about
one
of
these
features
and,
and
it's
a
fair
question
about
what
we
gain
by,
not
so
by
associating
signatures
directly
with
files,
instead
of
different,
different
different
roles
right
this
sort
of
indirection.
D
D
B
B
D
D
A
Yes,
if
you
can
provide
comments
there,
we
can
go
through
that
that
way.
We
also
have
a
record
of
like
you
know
what
the
feedback
we
got
and
make
sure
that
those
are
being
addressed
as
we
go
through
god,
thanks
yeah,
I
apologize
I
didn't
have
enough.
I
didn't
get
to
stop
then
early
enough,
where
I
could
share
it
earlier
in
the
slack
channel.
I'm
gonna
try
and
get
revisions
out
on
wednesdays,
going
forward.
C
So
so
one
thing,
I'm
I'm
also
kind
of
trying
to
wrap
my
head
around
here
and
I'm
sorry
if
I'm
like
this
might
seem
like
a
small
point,
but
maybe
it's
important.
Maybe
it's
not,
but
one
thing
I
really
like
you
say,
is
in
parentheses
a
lot
of
times.
You
say
what
you're
trying
to
achieve
by
doing
this
action,
like
a
publisher,
shares
the
root
public
key,
so
other
users
can
verify
the
containers
before
running
them.
C
But
really
you
know
your
goal
is
the
thing
in
parentheses
and
the
the
you
know
like
I'm,
I'm
not
I'm
not
saying
I
can
imagine
a
scenario
where
they
don't
have
to
have
the
key,
but
if
somehow
there
were
a
scenario
where
they
didn't
have
to
have
the
public
key.
To
achieve
that,
then
you
wouldn't
need
to
share
the
public
key,
for
instance,.
C
C
A
No,
that's
actually
a
good
call
out.
I
think
part
of
this
was
something
that
I
did
want
to
talk
about
in
this
group.
Should
we
actually
prevent
signing
of
container
images
with
the
root
keys,
because
the
root
key
is
essentially
translating
into
a
root
identity
right
and
if
the
root
key
is
readily
available,
then
potentially
it
is
something
that
could
be
easily
compromised.
C
It's
something
like
we
we've
seen
a
lot
of
big
organizations
where,
basically,
they
just
push
an
update
sign
with
the
old
key
to
try
to
rotate
the
key
out
when
it's
compromised,
and
the
problem
is
that
the
attacker
already
has
the
old
key
too.
So
you
know
that's
not
not
great,
to
put
it
mildly,
yeah.
C
But
why
why
they
want
to
do
something
like
this,
because
I
think
it's
it's
easier
than
for
us
to
go
and
see
like,
like
the
immediate
thing
I'm
trying
to
do
here
is
to
try
to
reason
about,
like
you
know,
a
hypothetical
design
that
would
do
this.
That
used
like
metadata
on
the
oci
images
and
use
something
like
tls
to
try
to
do
key
management
versus
doing
something
like
tough
and
I'm
trying
to
figure
out
like
where
the
gaps
are
in
the
solutions.
C
A
A
They're
accomplishing
and,
like
frankly,
like
you
know,
if
there's
a
better
story
for
getting
the
revocation
information
out
in
terms
of
liking,
if
you're
able
to
lock
down
roots
and
there's
some
sort
of
like
signed
metadata,
that's
going
out
like
you
know
the
same
way
that
the
tough
sort
of
like
framework
currently
works.
I
think
there's
potentially
a
hybrid
there
and
I
think
you've
actually
called
that
one
of
the
concerns
that
we
had
with
notary
v1,
where
to
get
a
root
rotation.
A
You
have
to
sign
with
the
old
group
right,
and
so
if
that
route
was
compromised,
I
agree
with
you
there.
That's
not
the
best
solution,
and
so
I
think,
really
kind
of
teasing
it.
Apart
like
what
does
a
group
revocation
look
like
versus
what
does
a
delegate
revocation
look
like,
I
think,
if
we
can
build
in
sort
of
like
automation,
where
you're
not
necessarily
having
to
go
to
a
crl,
to
kind
of
do
that,
like
that's
great,
and
so
I
think
I
will.