►
From YouTube: CNCF SIG Security 2020-10-07
Description
CNCF SIG Security 2020-10-07
A
C
A
So,
just
from
logistics,
there's
typically
five
minutes
spent
on
housekeeping
see
if
there's
updates
on
action
items
from
prior
meetings
or
anything
and
like
anyone
wants
to
share
or
announce.
I
don't
think
there
be
anything
major
for
today,
so
it
shouldn't
take
more
than
that
before
getting
started.
A
I'll
drop
off
from
the
other
zoom
I
was
on.
Apparently
I'm
still
logged
in
we've
been
doing
what's
called
the
books
print.
Are
you
familiar
with
that
so
think,
yeah
think
about
how
screenwriters
and
like
deep
people
who
write
movies
and
tv
shows
get
together
in
a
room
like
crank
out
all
the
ideas
so
producing
from
like
zero
to
published
and
three
to
five
days,
and
this
used
to
be
done
in
person
now
that
it's
gone
virtual?
A
A
Emily's
been
on
it,
it's
been
fun,
hey
thanks
for
jumping
in
last
night
and
getting
that
chapter
four
going.
A
A
D
E
F
It
was
fine,
I
had
more
feedback
that
I
expected
that
I
would
have,
but
it's
turning
out
to
be
a
good
test.
I
think.
A
A
Well,
welcome
everyone
to
today's
sick
security
call
if
you're
new
here,
please
add
yourself
to
the
meeting,
notes
and
agenda
you
will
find
under
today's
date
the
attendee
and
like
list
and
action
items.
A
If
you
have
an
update
to
share,
if
you
don't
have
an
update
to
share,
say
no
update.
Otherwise
we
can.
We
can
do
roll
call
and
I'll
pass
it
to
either
emily
or
brandon.
If
you
want
to
just
like
kick
off
and
do
like
first
before
we
get
into
talking
with
eva
who's,
our
guest
joining
us
today
to
talk
about
confidential
computing.
D
So
I
can
certainly
go
first,
so
quick
update
on
security
day.
We
had
over
30
talk,
submissions
and
a
lot
of
them
are
actually
really
really
good,
so
it'll
be
very
hard
to
select
just
a
couple
of
them
for
a
security
day,
so
the
team
is
working
through
that.
I
believe
that
friday
is
when
we
have
our
meeting
to
go
through
and
discuss
everything,
so
we're
we're
on
schedule
and
we're
doing
really
well.
D
As
far
as
the
white
paper
goes,
we've
currently
started
our
narrative
voice
review
where
we're
going
to
go
through
and
talk
about
adding
some
consistency
in
the
language
that's
used
and
make
sure
that
the
content
of
the
document
is
easily
readable,
that
some
of
the
thoughts
aren't
that
the
thoughts
are
more
cohesive
throughout
the
doc.
So
if
you
had
an
outstanding
comment
in
the
document
we're
going
through
and
we're
trying
to
resolve
as
many
of
them
as
we
can
so
we're
looking
good
there.
C
All
right,
I
guess
my
update
next,
so
we
kicked
off
the
security
assessment
improvement,
and
so
we
are
trying
out
something
new.
I
know
some
some
folks
on.
This
call
me
have
experience
with.
We
are
attempting
to
use
mural
to
kind
of
bring
some
and
kind
of
get
ideas
together
for
what
we
want
for
the
security
assessment
improvements
if
you
are
not
already
part
of
the
sag
channel
and
want
to
participate,
I'm
gonna
paste
in
the
link
on
to
the
issue.
You
can
comment
on
that.
C
C
Absolutely
right,
and
all
of
it
should
be,
should
be
in
that
issue
comment
right.
There
also
paste
it
in
the
agenda.
A
Fantastic,
I
don't
see
any
other
updates
coming
from
the
attendance
list.
Santiago,
you
want
to
tell
us
about
the
in
toto
proposal.
I
saw
that
open
up.
You
want
to
do
a
call
out
for
folks
to
chime
in
sure.
G
So
in
total
is
gearing
for
incubation
and
part
of
the
due
diligence
process
is
to
have
approval,
let's
say
yeah,
so
we
discussed
earlier
on.
It's
been
like
an
ongoing
process,
but
we're
finally
starting
to
ask
the
safe
to
input
their
self-assessment
conclusion,
which
the
self-assessment
is
probably,
I
would
say,
number
zero.
G
It
was
the
first
one
that
happened
so
there's
a
couple
of
things
we
need
to
revisit,
but
from
discussions
with
the
sarah
earlier
on,
it
seemed
that
since
originally
it
was
a
recommendation
for
incubation,
then
it
kind
of
makes
sense
to
move
forward
with
the
original
recommendation.
Then
again
I
think,
being
transparent
and
letting
people
chime
in
with.
G
So
if
you
want
to
take
a
look
and
discuss
or
input
some
feedback-
and
I
assume
that
eventually
the
save
will
come
to
a
decision
on-
what's
the
recommendation
for
incubation-
I
don't
know
if
emily
or
brandon
or
I
forgot,
who
else
is
running,
it
has
an
input
and
how
the
process
is
supposed
to
go.
C
If
I
recall
correctly,
at
least
what
we
did
with
oprah
harper,
really,
it
was
kind
of
copying
over
the
outline
recommendations
and
I
think,
with
like
oprah.
What
then
did
at
that
time?
Let's
just
say:
okay,
we
did
the
security
assessment,
here's
what
we
recommended
to
date.
You
know
the
project
has
taken
steps
to
to
fix
these
issues
and
stuff
like
that,
and
I
think
it's
just
a
short
paragraph.
I
think
the
last
one
was
filled
up
with
by
justin
and
dan
and
emily
I'm
guessing.
We
can
do
something
similar.
H
Okay,
the
last
one
was
a
grad
was
I
was
graduation,
the
last
one
we
did,
I
think
which
is
not
necessarily
exactly
the
same,
because
the
the
incubation
one
is
supposed
to
be
the
most
detailed
review
which,
which
was
the
last,
did
we
do
another?
It
was
harbor.
C
Do
you
know
anything
specific
that
that
we
should
add
in?
Is
there
kind
of
a
a
template
that
we
have
to
fill
up.
C
I
remember
the
oppo
and
harper
one
being
really
loose,
which
is
like
sick
recommendations
and
then
it's
just
kind
of
free
from
text
and
that's
where
we
paste
it
and
the
the
security
assessment
results.
G
From
the
top
of
my
head,
it
was
mostly,
it
seems
that
the
project
has
done
necessary
steps
to
like
have
a
reasonable
security
design
principles,
some
development
practices
and
vulnerability,
disclosure
and
management.
And
I
I
even
remember
there
was
another
blurb
saying
we
recommend
the
cncf
to
develop
some
budget
for
ux
ui
designers
to
help
with
the
front
end
or
like
the
user
interaction
with
a.
G
I
I
can
find
like
the
specific
text
if
that's
worthwhile,
like
if
that's
something
that
we
can
start
working
with.
A
A
Okay,
well
without
further
ado.
Today
with
us,
we
have
eva
black
eva.
You
understand
you
work
at
microsoft
and
you're,
also
part
of
the
outreach
committee
for
the
confidential
computing
consortium,
you're
involved
in
open
and
cloud
you
you're
doing
a
lot
of
work
around
these,
and
the
motivation
for
being
here
today
is
really
about
increasing
awareness,
comparing
notes
between
similar
efforts
within
the
cncf,
seeing
what
people
are
coming
across
and
hopefully
finding
how
to
best
collaborate
where
there's
an
intersection
of
pe
enabling
projects.
B
B
Great,
so
the
idea
confidential
computing
is
to
extend
protections
around
data
privacy,
data
confidentiality
and
data
integrity
from
when
data
is
in
transit,
ssl
tls
data
at
rest
now
to
do
those
same
functions
for
data
in
use
so
encrypted
memory,
while
applications
are
in
use.
There's
different
approaches
to
this
folks
have
been
building
over
the
past
several
years.
Homomorphic
encryption,
differential
privacy
both
of
those
are
software
based
this
one
is
hardware
based,
and
so
each
of
the
cpu
vendors
intel
arm
amd
and
potentially
more
as
well.
B
I
think
the
power
series
risk
series
also
have
some
enable
the
encryption
of
memory
pages
and
keep
the
entire
application
encrypted.
B
The
decryption
key
is
either
in
hardware
or
not
even
on
that
machine
that
they
could
be
delegated
temporarily,
to
enable
this
workload
to
be
run
and
then
attest
it
to
where
exactly
it's
running,
I'm
not
going
to
jump
into
the
how
and
also
the
how
it
varies
from
architecture
to
architecture
and
cloud
platform
to
cloud
platform.
B
B
Our
technical
advisory
committee
is
working
on
a
much
more
technical
paper
right
now,
while
still
being
neutral
and
high
level,
because
each
of
the
member
companies
and
projects
do
do
this
differently,
and
so
my
my
context,
as
andre
pointed
out
for
me
joining
the
call
today
is
I've
had
a
couple
conversations
with
folks
in
different
cncf
projects.
Saying
yeah
we'd
like
to
use
this.
B
These
chip
sets
this
hardware
capability
to
do
things
like
mutually
attested,
tls
or
containers
which
are
fully
encrypted
or
container
image
formats
that
is
encrypted
and
can
only
be
decrypted
in
specific
locations
using
attestation
with
third-party
verifiability
and
I'm
kind
of
throwing
word
soup
a
little
bit
here,
because
right
now
it
does
feel
a
little
bit
like
word
soup.
B
Different
projects
are
using
or
overloading
terms,
and
even
within
the
member
companies
in
the
ccc,
I'm
seeing
a
little
bit
of
overuse
of
terms-
and
I
don't
know,
what's
happening
in
the
cncf
landscape
yet
other
than
folks
are
like
hey,
mutually
tested
tls
using
sgx.
We
should
do
that.
B
Okay,
well,
hang
on,
let's
all
get
together
and
try
to
make
sure
first
we're
using
common
terminology
and
then,
if
possible,
that
we're
not
duplicating
work
too
much
in
our
open
source
projects,
because
we
do
have
two
foundations,
both
under
the
lf
working
in
somewhat
overlapping
spaces.
We've
got
now.
I
think
nine
open
source
projects
in
the
ccc
that
all
do
stuff
around
using
hardware
enclaves.
B
Are
there
common
ways.
We
can
surface
up
those
open
source
projects
into
cncf
projects
that
want
to
use
those
capabilities,
and
so
my
questioning
began
just
with
kubernetes
steering
committee
and
security
like
hey.
Does
it
fit
here
and
they
said
well.
This
looks
like
a
cncf
level.
Discussion
should
happen
and
I
ended
up
routed
to
all
of
you,
and
so
that
is
the
context,
and
I
would
love
to
just
sort
of
have
a
free
form
discussion
for
a
bit.
B
My
my
goal
being
figure
out
how
best
to
address
these
challenges:
common
terminology
and
common
use
of
open
source
projects
across
multiple
foundations.
A
B
Sure,
open
enclave,
sdk
nrx
from
red
hat,
graphene
and
auckland.
Both
are
research
projects.
B
A
Cool
yeah
there
there
are
a
few
like
related
projects,
at
least
from
from
my
vantage
point
and
let
others
chime
in,
but
certainly
spiffy
and
spire
get
roped
in
with
the
desire
to
test
based
off
hardware
with
cross
properties,
and
how
can
we
do
tpm
at
the
stage
and
nte
at
the
station?
A
So
there
is
there's
some
nascent
work
there.
There
are
emerging
projects
well,
they're,
actually
quite
a
bit
far
down
a
good
road
like
parsec.
I
know
justin
cormack
is
involved
in
in
that
project,
which
is
a
platform
to
provide
identity
based
crypto
operations
at
the
edge
providing
segmentation.
G
On
what
you've
said
thus
far
on
the
top
of
my
head,
I
can
think
of
two
projects.
One
of
them
is
definitely
in
total.
Part
of
the
feature.
Work
that
we
want
to
do
is
to
use
hardware
routes
of
trust
to
authenticate
functionaries
within
the
chain.
G
That's
been
something
where
we've
been
trying
to
make
happen
for
a
while,
but
I
don't
think
we
have
the
building
blocks
software
layer.
That's
that's
why,
when
we're
looking
at
the
open
enclave,
sdk
and
hopefully
the
ccc
can
come
make
like
all
the
tpm
stack
a
little
bit
more
manageable.
I.
I
would
really
love
that
another
one
that
I
was
thinking
about
for
the
same
purpose
and
that's
now
sandbox
in
the
cncf
is
keyline,
which
I
wonder
if
you
had
a
chance
to
talk
with
them.
G
G
B
So
I
just
pulled
it
up.
It
looks
like
key.
Lime
is
focused
on
measured
boot
or
trusted
boot,
rather
than
what
we'd
call
confidential
computing
right.
So.
C
Yeah
I'd
like
to
kind
of
ask
a
question,
also
there's
kind
of
like
a
conflation
of
features
with
that
right,
because
I
I
think
there
is
some
common
ground
with
confidential
computing
and
every
other
thing
that
builds
on
top
of
some
kind
of
hardware,
route
of
trust
or
some
hardware
models.
B
C
Okay,
so
this
is
like
library,
os
techniques
like
graphene.
G
So
I
have
a
question
regarding
that.
I
assume
that
to
make
this
little
circle
on
bottom
left,
you
are
also
working
a
lot
on
having
the
building
blocks
that
are
necessary,
and
I
wonder
if,
in
that
sense,
there's
a
way
for
the
forest
security
and
cncf
to
understand
what
things
are
not
like
immediately
interesting
for
you,
but
may
benefit
both
communities.
If
we
tackle
it
together,.
G
B
G
Well,
the
opponent
of
sdk
allows
you
to
build
a
arbitrary
trusted
execution
environment,
which
I
feel
was
is
was
the
bigger
circle
on.
G
Right,
I
could
be
wrong
again.
I
don't
want
to
in
your
mouth,
but
my
understanding
is.
It
was
an
abstraction
layer
that
allowed
you
to
use
multiple
vendor-specific
technologies
to
build
enclaves.
B
I
could
say
graphene
or
aklam
or
interesting
example,
because
it's
rust-based
there
are
some
parts
in
there
that
you
build
an
application.
You
run
that
application
somewhere.
The
application
runs
through
a
hardware
to
ee
inside
encrypted
memory
pages,
and
then
you
do
need
functions
like
attestation.
B
Key
signing
key
release
policy
management
that
at
this
time,
the
open
source
projects
don't
have
a
lot
of
the
orchestration
around
that,
but
something
like
410x
edp
or
anjuna.
Both
commercial
products.
B
Edgeless
also
has
one
that
integrates
with
kubernetes
to
do
key
management
and
orchestration
to
do
the
key
release
policies
so
that
when
your
application
want,
it
is
being
run
by
kubernetes
in
a
hardware
enclave
to
actually
launch
it.
You
have
to
release
it
decrypt
it
and
something
has
to
coordinate
where
that
decryption
happens.
If
it's
allowed
to
be
decrypted
and
run
on
this
machine
or
not
that
yes,
there's
certainly
shareable
libraries.
I
think
that
could
emerge
from
this
like
how
do
we
do
the
key
release
and
the
key
management.
C
I
know
you
know
this
is
something
that
cannot
contain
that.
So
I
think
sick
runtime
would
also
be
a
good
place
to
talk
about
this.
I
think
the
parts,
for
example,
with
enochs,
especially
there's
a
lot
of
talk
about
web
assembly
going
around
in
sick,
run
time.
That
could
be
a
interesting
place.
C
So
there's
this
discussion
in
canada
containers
where
we're
talking
about
so
recently
we
developed
encrypted
containers.
You
know
how
do
we
run
the
vm
such
that
everything
we
did?
The
vm
would
be
confidential,
so
this
is
if
it's
using,
for
example,
amd
suv,
mktme
and
stuff
like
that,
and
the
whole
part
of
the
discussion
was
okay.
C
Now,
if
we
want
it
to
be
truly
confidential,
we
had
to
handle
the
distribution
as
well
within
the
enclave
or
the
encrypted
memory,
and
so
we
had
to
kind
of
take
parts
of
the
ecosystem
and
also
put
them
within
the
enclaves
which
I
think
was
a
difficult
part
of
it.
So.
C
F
C
I
think
that
that
would
be
something
we
could
see
with
the
sick
run.
Time
has
also
interesting
any
any
channels
that
would
be
interested
there.
C
In
terms
of
education,
I
think
there
is
a
level
of
something
that
we
can
do
about
it,
and
I
think
that
you
know
it.
It
may
be
a
good,
maybe
project
for
the
security.
If
there's
interest
that's
built
around
it-
and
last
thing
I
can
think
of-
is
I
haven't
taken
a
look
at
the
list
of
projects,
but
you
know
if
cncf,
if
these
are
projects
which
may
benefit
from
being
in
cncf,
but
then
that's
kind
of
question
about
you
know.
What's
the
gain
of
being
part
of
cncf
versus
ccc
yeah.
B
I
don't
want
to
get
into
a
competing
linux
foundation,
projects
with
each
other
right,
but
rather
collaborating.
So
I
don't
really
want
to
certainly
not
projects
that
have
already
applied
to
join
the
ccc
and
are
accepted
there.
I'd
rather
look
at
how
do
we
communicate
across
these
foundations
and
support
projects
in
each
of
their
homes?
B
B
C
D
I
think
there's
definitely
room
in
the
white
paper
in
the
landscape
to
touch
on
a
little
bit
of
that
for
sure
and
it's
current
state,
probably
a
bit
late
for
updates.
But
let's
post
and
it's
in
the
refill
we
can
certainly
add
an
update.
B
C
I
don't
think
we
are
looking
to
do
technical
projects
that
come
a
bit
more
like
we
can
help
form
the
groups
from
the
discussions.
I.
F
C
There
are
already
several
several
people
on
this
call.
I
know
they're
already
interested
in
this,
so
I
don't
think
we
would
be
doing
the
technical
work,
but
we
can
help.
You
know,
get
the
right
people
together
and
kind
of
also
communicate
some
of
these
discussions
as
well.
A
D
I
was
just
going
to
say
that
for
sure
we
can
definitely
help
facilitate
making
sure
that
you
get
the
right
points
of
contact
and
maybe
help
like
move
that
forward.
We
also
have
the
mailing
list,
which
has
a
ton
of
folks
on
it,
so
you're
more
than
welcome
to
write
something
up
and
send
it
out
to
the
mailing
list
to
help
facilitate
some
more
attention
on
the
on
this
particular
topic.
C
Thank
you,
yeah.
I
would
also
create
an
issue
as
well.
This
is
a
good
channel
kind
of
create
a
suggestion
and
then
usually
we
have
a
couple
people
just
chime
in
on
that.
So
you
had
talked.
A
About
one
set
of
example:
applications
I
wonder
if
and
that
might
have
turned
the
light
bulb
for
some.
I
wonder
if
you
can
talk
about
other
use
cases
you're
encountering
or
perhaps
what
are
some
unsolved
challenges
for
some
of
the
nascent
projects
in
ccc.
That
may
be
areas
of
interest
for
folks
to
jump
in
and
contribute
what
is
top
of
mind.
B
Justin,
this
might
be
a
little
bit
directed
towards
you.
I
think
around
projects
that
launch
containers
in
enclaves
taking
novel
approaches
to
how
they
encrypt
and
sign
those
container
images-
and
I
think
oci
just
did
a
specification
on
how
to
do
or
took
a
position
and
how
one
should
do
encrypted
container
images
and
I'd
love
to
help
facilitate
that
collaboration,
so
that
people
aren't
reinventing
the
wheel.
H
Yeah,
no
definitely,
I
think
that
yeah
I
see
ici
is
a
good
place
and
obviously
both
me
and
brandon
are
involved.
There.
H
I
think
that
I
mean
there's
a
lot
of
work,
kind
of
planned
I'd
say
at
the
stage
when
they
fit
oci.
For
my
changes,
I
think
there's
a
lot
of
use
cases
that
are
not
encompassed
by
the
current
formats
and
there's
a
lot
of
discussion
as
to
what
things
we
need
going
forward.
C
Yeah
and
I
I
think
we
can
also
bring
a
couple
other
folks
from
oci
as
well
on
this
right,
jason.
C
Bieber
phil
lexi
or
someone
oh
vincent.
I
I'm
curious
on:
has
there
been
any
benchmark
study
done
as
far
as
the
what's
the
computing
cost
for
this
confidential
computing,
especially
on
the
processing
side
of
it,
when
you're
doing
the
encrypted
data
and
trying
to
process
that
and
decrypt
it
and
process
it
and
then
encrypt
it
back
and
so
forth?
B
Yet,
yes,
some
benchmarks
have
been
done.
The
results
vary
wildly
by
cpu
vendor
by
software
architecture
and
by
use
case,
so
an
example
of
where
the
cost
can
vary.
B
Hugely
is
sgx,
does
not
support
fork
internally,
and
so
some
projects
implement
fork
by
jumping
out
to
the
host
and
starting
up
a
new
sgx
process,
and
the
page
swapping
for
that
entering
and
exiting
the
enclave
can
be
very,
very
costly,
depending
on
how
you
implement
it
or
less
costly,
depending
on
how
you
implement
it,
and
so
the
benchmarks
end
up
being
well
on
this
chipset.
These
two
projects,
in
this
scenario,
have
a
10
times
different
performance
profile.
Isn't
that
wild
10
times
some
of
those?
I
I
can
do
my
math,
considering
whatever
you
have
seen
in
terms
of
the
fastest
hardware
or
most
most
intensive
hardware,
implementation
of
this
confidential
computing.
Would
you
put
that
into
the
category
of
the
ten
percent
overhead?
The
low?
That's
the
low
end
right
penalty.
C
I'm
kind
of
curious
on
that
is
there
any
standardization
of
the
interfaces
there.
C
Yeah,
at
least
like
what,
how
should
you
communicate
to
enclaves?
What's
expected
out
of
the
interfaces?
I
know
sg
access,
all
the
implementations
are
different.
They
do
key
management
different
ways,
some
of
the
key
management
hardware-
something
do
it
outside.
Some
of
them
can
do
interrupts
on
that
con.
So
yeah
yeah.
B
What
I
see
across
the
cpu
or
the
chip
vendor
space
is
sgx
is
kind
of
a
novelty.
Everybody
else
has
taken
a
different
approach:
they're
working
mostly
at
the
hypervisor
interface
layer.
When
I
look
at
amd,
sev
or
sevsnp,
when
I
look
at
intel,
tdx
not
released
yet
but
announced
in
the
plans,
and
when
I
look
at
ibm's
pef
and
they
all
take
a
sim.
Those
three
take
a
very
similar
approach.
B
Trust
zone
and
opti
is
a
bit
different
and
then
sgx
is
completely
by
itself
in
its
interface,
and
so
what
I'm
anticipating
is
over
time,
we'll
see
the
layer,
above
all
of
these,
where
the
common
abstraction
forms
right.
It's
not
going
to
happen
in
hardware,
because
every
hardware
is
going
to
be
different.
It
might
happen
at
the
the
sdk
level
of
like
a
c
sdk
to
interact
with
the
hardware.
B
It
will
probably
also
happen
at
the
orchestration
layer.
How
do
you
launch
a
process
or
a
vm
into
an
enclave,
and
that's
where
I
think
the
real
work
happens
between
the
ccc
and
the
cncf
like
people,
whether
they're
launching
the
vms
or
they're,
launching
containers
or
the
launching
function?
As
a
service
like,
however,
they're
launching
it
they're
going
to
need
to
perform
actions
like
attestation,
encryption
signing
and
that
should
be
consistent
across
projects
and
across
cloud
service
providers.
I
I
think
yeah,
so
I
think
you
mentioned
an
interesting
point
there
in
the
sdk.
So
I'm
curious,
because
different
workloads
require
different
types
of
securities
right,
so
you
should
be
able
to
selectively
choose
where
you
really
want
the
most
rigorous
confidential
computing
workload
versus
there.
So
if
you
consider,
for
example,
different
microservices
and
some
of
the
microservices
might
be
running
in
a
very
high
confidential
computing
environment
as
opposed
to
the
others
which
might
not
require
that
so
this
does
this
sdk
provide
that
kind
of
flexibility
to
orchestrate
your
workloads.
B
B
Exactly
I,
I
do
believe
that
I
completely
agree
with
your
point
that
different
workloads
will
have
different
security
requirements.
B
Some
will
want
a
very
small,
tcb
and
very
fine-grained,
very
careful
and
nuanced
control
over
the
code
running
in
it
and
how
it
is
launched
and
some
consumers
may
want
to
just
take
a
whole
vm
take
their
existing.
I
don't
know
erp
app
and
run
it
in
a
confidential
vm
I
might
not
want
to,
but
somebody
probably
will.
I
E
I
wanna
chairman
reserve
is
a
couple
of
thoughts.
I
think
the
idea
of
thinking
or
looking
on
all
these
communication
problems
through
the
use
cases
would
definitely
be
helpful.
So
I
can
say
that
we
are
looking
into
this
from
an
integration
perspective
and
bringing
hardware
of
trust
to
and
do
basically
build
the
invasive
spf
inspire
the
identities,
that's
good,
like
unified
identities
that
could
be
used
to
cross
all
the
system
and
bring
in
a
hardware
rate
of
trust
to
it
right.
E
So
there
are
different
layers
for
it
and,
like
you,
can
look
into
spiffy
inspire
from
one
attestation
perspective,
but
we
are
looking
into
it
from
another
station
perspective.
How
we
do
an
attestation
of
a
hardware
and
making
sure
that
agents
where
they
run
in
can
have
another
and
as
a
key
and
and
basically
using
another
infrastructure
that
we
can
use
for
another
layer
of
attestation.
E
So
I
I
kind
of
feel
that
understanding
of
all
their
possible
remaining
use
cases
and
identifying
projects
in
the
second
system
would
be
definitely
helpful
because
it's
it's
all
unstructured
knowledge
at
this
point.
That
would
definitely
help
to
understand
who
is
working
on
what
and
how
we
all
collaborate
more
and
better.
B
I
completely
agree:
I've
been
thinking
of
this
within
the
ccc
as
trying
to
define
the
on-ramps.
How
would
a
developer
engage
with
this
layer
of
securing
their
application
and
defining
the
use
cases?
From
that
perspective,
there
are
other
perspectives
as
well,
but
that
is,
I
think,
the
next
step
that
we
all
need
to
do
is
define
those
use
cases
and
how
people
are
approaching
it.
A
B
I
don't
know
if
there
is
a
yeah.
I
don't
have
a
specific
next
step.
Part
of
my
goal
in
asking
and
coming
here
today
was
to
determine
whether
cncf
security
is
the
right
place
to
continue
these
discussions
or
or
not,
and
that
question
just
came
from
talking
to
folks
you're
like
yep.
That's
a
great
conversation,
I'm
not
sure
where
it
should
happen.
So
my
question
is
to
all
of
you:
should
this
become
like
a
working
group
or
something
within
the
sig
or
a
regular
part
of
your
meetings?
B
Or
should
we
create
a
separate
thing
to
have
these
conversations
and
work
on
these
use
cases
within
the
cncs
scope,
because
I'm
also
having
the
same
kind
of
conversations
more
broadly
in
the
ccc,
which
also
includes
non-cloud
native
scenarios,.
A
C
Yeah
I
I
just.
I
think
that
creating
an
issue
would
be
a
good
first
step.
At
least
you'll
see
that
it
seems
like
that
there
is
interest
for
individuals
from
chat
that
I
can
see.
C
So
if
there
is
enough
of
a
group
that
wants
to
go
around
this-
and
there
is
a
defined
effort
that
can
come
out
out
of
this,
like,
for
example,
you
know
cycling
the
use
cases
like
like
either
I
mentioned,
then
we
could
have
it
as
a
project
proposal
and
one
of
if
a
co-chair
signs
are
offered.
It
could
be
something
like
you
know
what
santiago
did
with
the
supply
chain,
documentation
kind
of
just
like
it's.
C
B
D
So
I
think,
definitely
creating
the
issue.
First,
it
should
be
the
the
very
immediate
thing
that
happens
and
then
probably
drafting
a
notification
to
go
to
the
security
mailing
list,
with
the
link
to
the
issue
to
help
solicit
some
some
interest
in
the
area
and
then,
depending
on
what
the
activity
on
the
issue
is,
and
then
the
next
steps
that
come
out
come
out
of
it.
E
Yeah,
I
feel
there
are
like
so
many
different
pieces
and
different
groups,
so
there
might
be
a
need
to
like
have
a
six
cc
or
something
like
this
like.
We
definitely
have
some
projects
in
here.
That's
been
mentioned,
like
spiffy
spire
and
in
total
a
couple
of
them
for
sure
and
and
and
maybe
others,
but
there
are
definitely
bigger
scope
and
landscapes
for
for
integration,
with
hyper
risers
and
functions
and
and
bunch
of
other
stuff
for
sure.
E
G
Feature
creep
happens
at
the
cmcs
level,
I
think,
and
in
total,
in
a
sense.
G
Goes
beyond
cloud
native,
but
it's
if
it's
a
very
good
home
here,
mostly
because
the
community
is
very
welcoming
and
there's
a
lot
of
interest
in
innovation
and
something
problem
solving.
So
I
wouldn't
be
surprised
if
people
are
also
willing
to
hear
about
the
use
cases
that
go
beyond
containers
and
orchestration.
I
I
suppose,
regardless
of
where
this
happens,
I
believe
it
might
be
useful
to
think
of
utilizing
some
sort
of
an
api
type
based
optional
capability
from
the
cncf
project
to
whatever
being
developed
in
the
confidential
computing.
So
it
can
be
optionally
used
for
different
workloads
or
different
purposes.
I
C
Oh
yeah
there's
a
lot
of
5g
conversations
around
around
confidential
and
trusted
computing
exactly.
B
B
You
know
very
much
related
to
this
in
the
ccc
tack,
which
means
every
two
weeks,
mostly
at
the
moment
that
is,
between
myself
and
mike
burcell,
is
my
my
peer
on
the
nrx
project
and
I'm
on
the
open
enclave
project,
and
so
the
two
of
us
are
trying
to
sort
this
out
as
the
two
most
mature
projects
in
the
ccc
right
now.
E
Yeah,
I'm
happy
to
help
these
use
cases.
If
you
folks
will
plan
to
work
on
this
at
least
on
on
a
high
level
and
might
be
a
map
or
projects
or
things
we
we've
been
touching
with
or
playing
anyways
to
see
how
it
fit
into
the
whole
infrastructure
of
the
whole
idea.
A
They're,
certainly
like
desire
to,
for
you
find
consumers
of
open
enclave
and
clearly,
we've
identified
a
few
that
we
can
like
help
like
expand
the
footprint,
but
also
take
advantage
of
the
benefits
it
provides
and
I'm
sure
others
will
arise.
But
yet
near
term,
like
certainly
in
total
spire
for
using
well
involving
the
distribution
of
keys,
there's,
certainly
also
a
consumption
aspect.
We
can
surface
back
to
at
the
station.
I
wonder
if
projects
like
oppa
well,
initially
that
were
intended
to
be
able
to
enforce
rules
and
regulations
that
they
layer
of
the
stack.
A
B
Andre,
I
think,
you've
given
me
something
else
to
think
about.
Could
we
create
a
sort
of
a
list
of
cncf
projects
that
are
surfacing
up
this
kind
of
functionality?
I
think
that
having
that
list
would
be
helpful
to
track
and
organize
interest
and
conversations
around
it.
F
J
K
Sorry
I
joined,
I
joined
a
little
late,
nothing
much
from
me.
I
know
aradhna
was
supposed
to
present.
I
don't
know
if
it
happened.
Otherwise
I
think,
depending
on
her
time,
maybe
we
should
see
if
we
can
have.
K
Have
her
presentation
scheduled
for
next
week
or
week
after.
C
Yeah,
let
me
talk
to
you
luke
next
week
we
have
a
key
lion
presentation.
Let
me
ask
him:
how
long
did
he
need
to
it,
which
is
also
relevant
to
what
we
talked
about
today?
Yeah.
K
C
The
association
portion,
so
let
me
have
a
chat
with
him,
see
how
long
he
needs
all
right
now
how?
How
long
do
you
need
for
your
your
slot.
L
I
can
adjust
time,
I
mean
whatever
time
you
can
give
me
it's
just
for
you
know,
sharing
and
applyi.
I
can
send
a
link
to
the
paper
and
you
guys
can
read
the
draft,
not
a
problem.
B
A
Cool
stephen
cameron,
anyone
else.
J
A
Yeah
100
agreed
well
eva.
Thank
you
very
much.
Looking
forward
to
seeing
you
and
upcoming
calls
and
working
together,
I
will
yield
my
time
back
to
the
chairs.
E
C
A
Hey
santiago,
while
I
see
you
here,
there's
been
a
lot
of
interest
and
demand
to
see
a
upstream
integration
between
entoto
and
spire,
be
it
for
protecting
the
total
machinery
and,
at
the
same
time,
well
for
the
supply
chain
law
to
be
used.
As
at
the
station
criteria
for
like
binaries
of
known
provenance
to
be
issued
identities.
A
G
Yeah
that
sounds
very
interesting,
I'll
be
interested
in
knowing
because
I
know
there's
at
least
it
makes
me
think
of
supply
chain
transparency
in
a
sense,
and
I
think
that's
something
that's
coming
up
soon
in
other
communities
as
well.
So
I
wonder
if
we
can
make
something
happen
in
the
near
future,.
A
A
G
No,
I
am
now
in
lafayette
in
indiana.
I
ended
up
at
purdue
university,
oh
congrats,
thank
you
yeah.
It
was
a
tough
decision
between
it
reversed
the
arizona
and
purdue
university.
But
but
I'm
happy
with
the
decision
I
made,
let's
see
how
it
turns
out.
G
A
G
But
well,
this
is
in
indiana,
it's
midwest,
yet
louisiana,
but
indiana,
oh
gotcha,
okay,
yeah,
yeah,
so
well.
Yeah.
The
food
is
not
as
great
as.
G
Well,
yeah
I'll
find
charm
in
the
in
the
indiana.
I
think
so
far
I've
been
liking.
It
a
lot.
It's
not
so
different
from
new
york
in
some
respects.
So
so
that's
that
but
yeah.
C
G
The
I
think
it's
a
dragon,
2
pickups,
I
forgot
oh
pretty
cool.
I
really
like
it
awesome
well,
nice
to
catch
up
and
I'll,
see
you
guys
next
week,
yeah
good
to
see
you
chad
soon.
Yes,
bye,
take
care.