 This doesn't happen to a connector. That's you. You're one of the participants. I'm going to leave. Okay. This is the reinvent office for data BOS and Microsoft and who else on the call? What's the URL? Which URL? Zoom, US slash my slash CNCF notary project. CNCF notary slash or CNCF all one. My slash CNCF notary project all one. Can I display a good question? Yeah, I can. I'm here. We're using the HackMD for notes. I'm just trying to make sure we have that up in the middle here. Oh, I'll share it. There are two of them in the room. No, three of them are in the room. Okay. Well, I said expectations for two o'clock. I gave them the extra half an hour just to get things organized here. All right. Before we get the larger group on the call, you know, this is always the balance. I pinged you and it just seemed you were busy. And it's always the balance of a few people that can get run really fast. And then the larger group that is annoyed that you ran really fast. And then you have the larger group that you run a little slower, but all this good information comes up that you didn't think about. So that's the struggle I know that I've been kind of Well, we did, yeah, we did discuss earlier about breaking into smaller groups. More is something that we should we had when we did a kickoff. We're like, look, let's have some breakout meetings that we can focus on key signing and we can focus on, you know, use cases and usability and APIs. And I don't know if we've gotten to the point where that's a thing. But we're a month away from KubeCon and I was at least in my head some sort of a line by which we should have made material enough progress that we can stop sculpting how to build a puppy and I'm not feeling with air yet. So we need to find the heat just to have. So I think so the thing that I came out of last one is like there's this balance of jumping into some details and getting into where we store the metadata and so forth in index or manifest and both blah, blah, blah, but I feel like we still tripped up on this just this basic thing of what are we signing, like are we signing a manifest regardless of the name? Are we signing something that says it is my sequel, you know, colon V1? Is it just my sequel colon V1 or is there something related to the path? And if it includes the path, then where's the line between the path and the registry and how do I move things across repos for various workflows? And I feel like if we can close on that, then that at least opens up the next round of conversations because depending on what we decide, there's claims information or something and there's discovery. There's a bunch of conversations that fall out of that. But I feel like that was the core thing. That's what I left with other folks. Yeah, I kind of I read this dark on the way over, which is this, which is in the channel, which I just posted in. But that was kind of because the conversations we had around I think that some people it were not so much in the in the container community and quite understand how we use repos. And so I tried to write down what kind of issues there were and what kind of workflows exist and why it's not necessarily quite the same problem as other people have in other areas. And therefore we're confusing things. I mean, I think at some point, we're going to have to make some decisions about what kind of workflows we're going to actually support and what's going to be out, which things going to be easier, which things going to be more complicated. Yep. So there's the So should we take some time and read Justin's doc? Yep. Good. And read Justin's doc. Oh, wait, where's your doc? I put it in the fact. And I'll put that in the video. Sorry, can somebody get some pops in the HackMD that won't get lost in my own tabs. So is there any other things that we can just maybe just get the agenda that would help? Like I'm about to read your doc. Is your doc about name or your doc have like a bunch of agenda? It's about it's about mirroring basically just and what what how the how people actually use things. I think that Thank you. We're in the HackMD page. Where are you? Do you have Swack open? Yeah. So he just Yeah. Here. Let me just the second team's open. Yeah. Is anybody on the zoom? So can you see what I'm actually sharing? Right now? Yes, it's a HackMD document. Is it the split screen, split brain one or the fully rendered one? No, it's a fully rendered one right now. Okay, good. There was also an item that we wanted to discuss, which was some requirements for a CNAP. Do I just add it to the agenda or what's the procedure? Yeah, if you can do that right, that'd be great. I was actually just typing the agenda items in there anyway. So if you add it, that'll be the exact queue that we want to use. That CNAP doc was interesting. I started to read it a number of times. I'm interesting for your definition of interesting. In a good way. I know Vincent said he couldn't join. Are we expecting anybody else from Quayer Red Hat? I had to go back and look at who accepted it or not. But did Vincent say he wasn't available today? Was that week? Yeah, yeah, it was the one thing. Oh, it was the whole week. One thing probably should bring up. Some people didn't get the cancellation note for this morning's meeting and people showed up in the Zoom room this morning. And I told them, I actually received the cancellation and told everyone about this meeting. But just so you know, not everyone knew about it. No, apologies. I'm trying to get people to focus on the Slack channel. And I did post. I think I posted there. Yeah, you did. Okay, so I'm just going to read. Sorry, I already went out ignoring you. Did I still read it? Yeah, I need more of a package one, please. I should have made some comments. I didn't like the example package. Oh, I see what you're trying to say. Yeah, it's all right. I got you. I just don't like package management systems. Is that what you're doing first? So I'm trying to rock the total thing that you're getting at. Is it the, in the mirroring case, is the assumption that just the DNS name changes? Or is it that you want to make sure we support path changes too? The current use, people currently, I'm going to say here, people do use path name changes because they kind of have to. And say... Is that a mirroring or is that where they're just moving the content to their registry? I thought you were trying to explicitly call out the mirroring. I'm not. I mean, in a sense, there's no distinction. Because other than the one mirror that Doki used to run for China, there aren't really any actual... And it's passed both three caches. There aren't really any real or meaningful mirroring situations that can't exist. There was one product. That's Sonatype. There was a customer that came to me with one of them recently that was kind of doing what JFrog does, where they do a bit of redirection for you. Then they do a passive cache. So I'm just trying to figure out, are you trying to make sure that we can support a real mirror where it's more of a passive querying hub.io, dockerhub.io, slash foo slash thing colon V1. And I can still get it, even though I'm going through another DNS name or a proxy, or... No, I really just want to move that image selectively, that one or two, with five images to another screen. Justin is just trying to talk about what people are doing today. The document was particularly for people who are not in the container recently, because they don't understand the weird shit that we do, and that we've ended up doing. Because we've ended up with a situation where we can't use the simple kind of mirroring strategies that you use for, let's say, Ubuntu, simply because the interface doesn't exist. And unless we want to actually start introducing wholesale mirroring and pull through caches as a feature of the ecosystem, then those things are just not going to exist. We would have to fill them. You were talking about... No, I wasn't going to... You mentioned about multi-region. Yes. I mean, so are you planning to have a registry namespace for all regions? So, one of the great joys of working containers is that your roadmap is actually public, so we can happily talk about the stuff that's already on there. But one of the things we have to do is be able to put images in different AWS regions. And not rely on the fact that the underlying cloud stories that we built on is that to move it around. A consequence of that is that if you actually put images in multiple regions, the customer may want to come in and say, give me that image, and it's up to the cloud provider to go, oh, I'm going to pick it from the right place, and if it's not there, I'll use the magic on the background and get it right. Those are two different problems. One is just putting images in different places, and the second one is easier global pull single cross multi-global repo content. So both are going to happen, right? We have to do them. But in the context of mirroring, why were we even talking about mirroring and signing? Because I clearly missed last, and I'm so sorry. Justin's not trying to talk about mirroring in the sense of having full mirrors of registry content, but rather in the context of what are people doing today for how they're getting image content around in different locations. But also how this is different from other solutions, such as package signing, where there's a straightforward mirroring model means that there's already a model where effectively the signature is all possible. It doesn't matter where you get things from, which we don't have, because it does matter where we get things from. I was going to say, what is the tie-in with signing, and that's the tie-in with signing. You can't rely on a location, or signing doesn't imply a location, or what you sign implies the fact that you got it from that place. It currently does, yes. Yeah, the current signing... Well, everything about a location, right. Package signing in the Linux package manager ecosystem doesn't imply a location at all. And that's our can we get to more of that? Just for the sake of others, can you switch that over to the hack doc? Seriously, taping. Yeah, I was doing the same. Anyway, I think that's part of the question, I think, we're trying to figure out. The question is either do we try... Do we try to move to something that's more like that, or do we just say, that's not possible, let's not bother? Well, the way I worded it, how much change are we willing to impose to make this solution work? I mean, not. Like we've said, we're going to break away from Docker content trust and notary because it just doesn't support the basic thing, and we actually don't have as much adoption of anything that we would like. So it's really not a break because it's not that much of usage. Clearly, there's lots of usage around pulling images from existing registries. So the more, well, we would love to roll back the clock and make it more like a package manager where the location is like irrelevant. I don't know how we... I don't think... Yeah, I don't see any particularly realistic way of doing it. I'm basically changing the kind of content models that we've become totally location-independent. Are you contemplating that you think we could? I'm trying to understand what Justin's proposing or what you're saying. I think we're asking the question... The question is, what can we change? Well, if anything, can we change about how users use images now? And I think we kind of kept in vision last week that we can't change very much. Just kind of workflow questions you were asking last week. I think that's right. I think that it's going to be very hard for us to build something that we expect people to adopt if it requires them re-architecting things about how they refer to the images and about how they are interacting with the deployment tools that they use for actually going to run images. So changing things in the Kubernetes object definition like the pod specs is going to be challenging. Changing things in the ECS test definition might be challenging. And changing the way that people organize things in their own registries is going to be challenging. And just the workflows. Like the fact that people move things between registries or move things within registries in different paths is like a workflow that people have created. And also we don't want to create something that you can only use if you make these changes because then that's a recipe for low adoption, which is one of our requirements is not low adoption. So if we can't make those changes, I think we can't make those changes. We can't make these fundamental changes. The value we're bringing is not enough to justify this massive change that it would be. So if you sign and that signing does not also point to where you got what you signed from, which is inherent in the fact that that's the image is here. What is exactly the implication of what you guys suggest? Because I think part of it is they could swap out. Like when I look at the other package managers, the location is a separate configuration. I got some configuration. There's a default that says it goes gets from NPM. And if I just say NPM restore, it gets it from there. If I reconfigure my NPM registry, it'll get those one level deep names from alternative, which hopefully those things are there. With that's kind of the simplicity I think that will in a change. So let's start somewhere different. What do you think a signature helped you? Given that you have some bytes and those bytes are signed, what does that signature tell you? Who are you asking? And so I'm asking a question. I'm asking the room as a whole in the context of signatures, not containers and not containers specifically. Just try and get us on the same page about what we're talking about. I think that's fair. I specifically was interested in if you were talking containers. I'll tell you, a signature from our perspective gives you a specific a hash over a bag of bits, no matter how large or how small. We know the publisher's identity and we have a mechanism by which we can verify those truths. Those things are still true when it comes time to validation. Yeah. And I would go maybe a little bit further and say the publisher's identity that you have is only the key. It's not anything that's... That's not always true. What do you mean by the key? Everything else claims that the key has been signed to make. Yeah, right. So technically it is just the key that you're pressing. Well, I'm sorry. Now I'm confused. So if I'm using a certificate, it still boils down to a key. Yes. It's your point. Yeah. But I don't want to lose that issue that there is, in some cases, certificates that are used to kind of map to a key that... But those certificates are the things that we exchange and use for identity, but to be clear, right? Yeah. So I think what I'm trying to get at is, to me, a signature doesn't really imply anything about the object that is signed, other than it was signed by a given signer. It doesn't say anything about the content of the object. Yeah, except the hash. Yeah, it is the same content, but it doesn't say what the content is. Correct. Eli, if you said this is SQL v2, it's only because you trusted the publisher who said it's v2 that it's v2. It's not because it's something in the signature that says it's v2. Right. And that gets a little bit too... Well, I don't want to get too far out, but the main thing, like... That's what I'm trying to get at, is what are we trying to... What attribute are we saying that the signature is giving us and is that the same as what a signature actually can prove to us from a cryptography perspective? I think we look at the scenario is I want to be able to pull a thing and when I pull it, know that it was signed by an entity that I trust. Okay, I'd agree with that. What we've got... I think if we agree on that, that is a good core thing, right? It's not like... Then the question is, how I referenced it, how important is it that I referenced it as opposed to that it's still signed by the same entity as I trust? So, for instance, the thing we were just talking about last week was... MyDB, because I'll try to... Not my SQL, should I be somewhat agnostic. The MyDB version one, colon B1, if that's what I referenced it as, and this is part of the point that Justin's making, if I pull that from Docker, but I referenced that, regardless of what the path is, that when I'm pulling that same thing as its name from my local registry, that I shouldn't be able to use that name and trust that that name means something. And I still am going to do the check that says I only trust MyDB cert, in addition to Coke or Ackley Rockets, whatever, so that I can take a certain set of vendor software that I trust, I'll allow that, or software that I sign myself and my company. So in this case, I'm running the MyDB directly from upstream, but I'm building on my own software to run alongside of it. So I want to trust those two keys and only those two keys. So I think you've made a leap from I have an object which is signed by a given signer to I know the identity of the object. Is it that I know the identity of the object or I'm saying is we want to somehow reference it. Once you apply the name, which is one of the things that you were talking about, that connotes something about the identity of the object itself, right? It has a name that's referred to, like there's lots of Steve's, right? And there's a couple of Steve Laskers. So if you just reference it by name, you don't check anything else. Visually look at me. Hear my voice. Look at my ID. You don't really know that I'm the same Steve Lasker that you know. But if I have some other information that says, oh, this is signed by the Lasker family. I don't know. Whatever. Something that says, oh, yeah, that's the one that I do trust. Then I'm okay. But the point that I've heard Justin, and I'm on the fence, actually, on whether I want to, the name should be signed or not. And I think it's an interesting conversation. If I'm pulling something from Dr. Rob, it's MyDB V2. It's not even V2 is a specific version. It's just a string. That that name should be somewhat trusted regardless of the path, regardless of the registry. And that there's some comfort in that, that that's the thing that I'm referencing. Because that is kind of the way I reference an NPM package, if you will, for my package management. Where I got it is somewhat irrelevant. I got this package. So it's not just that the publisher of the content is trusted. It is what, it's what they said that content is, is also trusted. It's not trusted. It's just then, there's an implication of trust as part of it. My example last week was if I, if I build something, I give it a name and I set that name in my cube manifest and I run it. I do want it to be the same thing between those two things without me having to put the content hash of the content. And because otherwise, I mean, otherwise, if you just run something else, I won't sign in the path. That's, that's, it seems a significantly weaker guarantee. That's basically a downgrade or a sidegrade attack. Some sort of replacement, some sort of replacement attack, which seems, which seems, I think, I mean, having a time, I mean, it's better than it not being signed by anyone, but it does seem a very weak guarantee. Yep. Well, it's not with you. It's all just back to that trust conversation that we were having, but I trust Justin. Well, no, it is like, I don't even, like, this is literally about a workflow which is just involving me. I trust myself. But I mean, it's like just having a workflow where I can build something in one place and run it in another and know that it's the same thing. But in that case, that you, I'm not trusting any third parties at all. Yeah, yeah. But as part of that run in another place, is the full address the thing that you're trusting or it's just the left entity? I just, I'm being very vague. I'm just saying I want to be able to run the same thing, know that I can specify to run the same thing as without. That seems completely reasonable to me. I don't understand why that's broken yet. Like this whole notion, I think you presented a viable pack, a viable path that assets are going to be signed, created and assembled. And then at some point in time, someone's going to sign off and say, we like this. It's approved. It's, it's vulnerability free. It's all of these things we love and know. And I apply the signature. That signature should remain with that bag of bits so that it can be independently validated. I'm wondering why that does not work today. But I thought it doesn't work today so much. I mean it's, but the question, so the question is, the question is, well, there's a whole bunch of questions like how do we implement this? Like so, I mean the, But if you divorce, so if you just, if you just have signatures, what do you, do you have a separate signature for a challenge effect? There are a number of ways you can pull it off. I mean that's the thing, that we, I mean, so I'm, again, outside in taking the issue, because pretend the, the manifest in all of the assets all of the assets associated with the signature were kind of autonomous and they could live independent of where you get them from, right? And so that validate the, the validation when it comes time to ensure that the contents haven't changed should be segmented or divorced from this notion of where it came from, right? But that doesn't work. Well, that doesn't work today, but I think we're trying to make sure of, how do we solve the use cases that we think are important with the, you know, the thing that we're designing now. One of the things that keeps, that I keep thinking about is, assume that we didn't have a registry, that these were just like files on disk. Would the file name matter in terms of the signature? File name? Yeah. Well, we can change the name but then they can look at the, the file metadata to see where it comes from and where it's named initially. So I think I'll be a file from Sam and Jane to, to when they look at the metadata and so I know Sam. And then if there's signature in there, I can put a file across Sam with a file. And maybe Sam but I can change that name. And that's something I kind of keep on coming back to is like, you know, loose things that are on disk. I still want to know that they're signed. Like even the, you know, regardless of what registry I pulled it from, because in some of these environments, they're bringing bits to the IoT device, you know, and completely other paths. It may not even be a docker poll. But yeah, I mean, but the top solution there is it's, you also sign a list of names and you point them at the objects and you can move that around too. So you can just, you get a signed list of names. So today in Notary V1, I signed. None of this is relevant. Like it's V1. Yes it is. It is relevant. Yeah. You're signing a list, you signed a list of names. Okay. As well as the actual. And you're signing the entire path to be fair. Sorry, that's where I jumped into this. You are. That's not strictly true. There's some complications, but roughly, roughly you're signing a list of names as well as the objects. So it means that the digest of the name results to the region. Yes. So basically you're signing, I mean, you're signing the information that you otherwise can't trust from the registry because it's, which is obviously a amount of duplication, but obviously you are putting a signature on that resolution. So you have two signatures. You signed two things there. There's also time stamps and things like that, but the important ones from this point of this conversation. You signed the actual image and then you signed some information about the sentiment. It's just a metadata. Just the tags is signed at the collection because the repository is a source of truth. And everything, entire collection set of the tags is signed as one drop and it's put into the notary. The problem is the discovery of notary is a different issue. It doesn't sit on the registry today. You actually have to go to a different endpoint to get the collection information. That's the whole issue at this point. So you're signing just the metadata? Yes. Correct. Leaving aside where the signature is actually placed and the key is in me, you just signed the metadata to the image. You don't sign the actual content. So. Well, the metadata contains things that you can verify the actual content with. So it is the actual content hash plus a whole bunch of other information. Because that other information changes when you move it from one registry to another, it's an interest in a longer valid even though the hash could, may or may not be. I think there's some other stuff from the hash as well, right? Well, no, all the information is actually valid. The only thing that's actually tied is that the, is a cert check, which is kind of your own. But in principle, all the information is minus some implementation specific details. The information is perfectly mobile. The information aside is simply the hash and the size. So leaving the discoverability aside, is that a valid thing to continue? Is that good? The name is fully qualified, which means that if you move it from one point to the other, and you need some kind of federation to go back to the source or know the mapping up front. I mean, so one of the things that I've been trying to get to is the collection is a full collection of all tags. So when you have, when you're moving a single image, that is not a valid option. You have to move the full collection. So it's kind of broken windows of how you move a single image. It's not feasible. So this is in the context of moving an object between registry. That we do a bit of registry with the registry. So I try to you promote your conversation. I try to page to broad. That's what I have here. I put the, you keep in the, you keep in the name, but it's a different path. Oh, I can't point, because I've got my screen to point at. That one says TMA. So my DB image went from TMA to staging to products. Notice the image name didn't change, but the path within the registry changed. And the second scenario is there's actually separate registries. So everything else is the same, but the registry changed. And the third one, they're using the same registry, same team. They just retag it in a different way. And I've seen all three. I think the, we say we want to make sure we solve the first two, regardless of what we do, right? I think everybody's agreement there's, we have to, we want to solve that. We can move things, whether it's a Docker hub to ACR or MCR to ECR or whatever. The naming part, whether we lock the name, the third one is the one that we risk breaking. And for this, to argue for Justin's case, I think, I don't know if I want to call it Justin's case, but for one of the things we're discussing is, we all get hit by customers that don't like the fact that tags can change. So they deploy by digest only, which is the human, the human nastiness. I can't actually read it. And Kube displays, don't even show the full path because it's so freaking mock. So it's just, it's not very usable, but they don't trust it. If we said we only supported signing the name, then by the fact that it's signed, which is pretty much what Notary B1 does anyway, do we mind losing the fact that if you want to re-tag it, sorry, we don't support that. Like, you would have to re-sign it if you wanted to do that. Because that is such a bad thing to not support the last. Only if signing is truly painful. And expensive. I mean, it's a, so it has example, examples, right? I mean, it can go a lot of different ways. I mean, there may be so many reasons you want to rename something and having to re-sign it again. Like, what if I'm trying to name something and the only, like if I, as a developer, try to do this and this has already passed QA, I don't need to go back to QA to get it signed again, just to do a simple name change. Are we talking about naming or tagging? Or tagging. Like, it's all or the difference. Okay, but it doesn't be fair. No, I don't. Some of the people that actually don't live in the Docker experience. Yeah. And normally, I would absolutely agree with you. And that's where I had started, honestly, when I did this whole DLL conversation or binary, it's like, hey, I should be renamed. It's still signed. In the Docker workflow world, it's not that strange. Like, there is some assumption around the name of the image, regardless of the path, has some meaning. And the fact that it can change because tags are immutable, like, other than the signing thing we're proposing, I actually could create my own thing called myDB 1.0 or I can point it at that tag. So customers get very nervous that that thing can change if we were saying that we are signing them. There's also the case that actually most images have multiple names. Okay. It's just that things are called. Yeah, that's fair. A part of the name. Does it have tags? By tag, we usually mean the last part of the name. And there's that. Off the count. But you mean like, dash-staging. Dash-staging. That's probably 1.0 after the corner. 1.0 dash-staging, yeah. I was highlighting. So anything after the corner? After the corner. Yeah. That's the terminology we tend to use. Yep. That's the last piece of the name. And I know that, at least from some customers, if something went from tag from stage to tag to prod, but that just doesn't happen. That's not supposed to happen. If it happens, it's a bad thing. Like, you're signing the fact that it's in prod. You best not be moving that chaping around a little bit. You can't, you can't. People do. It'd be fair. People do. I don't actually think like, if we're going to change something like, or put some restriction on it, because we get so many arguments from people that they will wind up doing digests, or we add a feature called tag locking, that if we just said that we are signing the name, and if you, you... Well, I mean, sign tags effectively give you locking in that sense. If you... Adds an industry standard. So basically, because you basically just, your signature will break if you, if you change the tag. If you change the tag. If you, well, if, I mean, if you, if you sign something called 1.0 and you're checking that name as part of the signature resolution, then if you pull it as latest, it will fail. It will fail. Which is effectively makes tags immutable. And sort of, I mean, it doesn't, and it does. Well, they show me the tag. You have to use, and you have to use an immutable tag to run it if you want to change the signature. And to be fair, for the sneakers where latest is valid, they're going to sign latest as well. Like, I joke that latest, you know, we, we don't never deploy. But you have to resign it every time you push a new latest. So, I mean... You know what, there should be some pain in using latest. Well... There's a, it's a inside containers thing around latest being weird. Okay. You've got patterned. Not equally. I was just going, this is a terrifying question, but so it sounds like if the tags are immutable today, and it's nearly locked in now that this, is it, is it more palatable to say that each... I wish there were a configuration. Customers get to pick, right? If you want this to be an immutable tag, you pick and choose, and you have some flexibility here, but... And they have that tag. Tags are not immutable today. Well, in fact, in certain registry implementations that have built features around that. So, you know, ECR has, I believe ECR has, but it's not something that's part of, like, the registry stack or anything like that. Because if you say tags aren't immutable, that's for if you push again for the same tag. And the way you do this between our registries and the behavior is slightly different between our registries, so which customer is just, like, cuts the anti-pattern of working with containers. So that's why I'm thinking, and you were more advocating for being very flexible on the existing workflows. Yeah. Are you okay that we don't let people change a tag and... I think that that's going to break people who have workflows around, I'm renaming the image entirely or I'm changing tags. And I think people do that. I do that. They won't stop you. Like, I do that. But to be careful, not exactly what you're talking about. This is that other definition in terms. What I'm saying is just this portion. Yeah. Of course, this portion doesn't matter. That part. Like, you can change this, like this part. No, I change that part all the time when I'm working with images. Like, just seeing of my own workflows, I do this. And if you change it, if you change it, do you want it to be re-signed? You wouldn't know. I don't want the signature to carry with it and continue to be valid. Even though the name has changed. Yeah. What is it... Give me an example of why you're changing the name. Yeah. Maybe I'm making a backup of something. Backup is one, moving for permission boundaries is one, moving domain registries is one, moving between our gaps. Well, all those are the path. All those are the path. Those are the path the path. From an image spec perspective, the entire path is a part of the image right. If you're saying that the last segment of the repository is a path, they are introducing a new concept. The OCR layout doesn't understand that. There is currently a concept. Yes. So if you're introducing a new concept, it's a different thing. The other thing that I wanted to kind of like bring to the table is the fact that the index is already an extensibility model is something that I wanted to propose as a discovery mechanism. The index has a way to say, this is the image. It has a way to say, this is the metadata and this is the signature. The second part post the discovery was the validation of the signature and the scheme of signature. My initial like off the bat conversation with C was we have a well-defined model for claims. We have a well-defined to do things like jobs and the scheme of the claims. The content of the signature has to be separate or defined separately and it's up to that's a separate discussion that we should have. So if we sort this out as discovery, we like first portion and index is already there as a way to discover stuff because we already do that for platform for architecture. And I think you've already written up a bunch of stuff on that. The tag remains the same and when you move the tag, you move everything under that tag which includes the entire chain of trust and all the contents because today you cannot say I'm moving a manifest without moving the layers. You have to move the layers around. All implementations make sure the entire chain needs to move. So if you're saying that I'm moving an index, it's only a matter of clients to be able to move the entire chain including the signature of the index because it's hanging off the index. So it discover and mobility kind of gets sorted out through that. But what is it that you're saying? And I'm not doing it again. I'm on the picture way. Tag doesn't name. Tag doesn't matter. We just whatever the matter whatever the digest is. Whether you want to validate the tag name or not is a signature level implementation detail which is if I have a claim that I want to validate that the claim on this is tag is equal to sequel to then we can go with validation on any engine. But you want to make it an additional that's about signature validation and content validation which should be separate from the discovery mechanism so that we can tackle these two separately. I mean, we never get to any conclusion if you bundle the whole thing together because I think discovery is a client experience. Signature validation is a cryptographic experience. Right. So the simplicity for signature validation is not going to be that straightforward but for discovery without having people change their workflows that's what I'm trying to like nobody wants to change the workflow. Everybody wants reference by tag but have I pulled it with the signatures what we're trying to get? So the index already gives you an interaction mechanism. So that's something that I just want to kind of like raise. Or sorry, but what are you actually proposing? Sorry, I'm confused. So in the index you if you have an annotation or a media type saying that this is the signature of this type then why can the tag a five car signature to an artifact? And when you put the signature you re-tag it with the signed information. Is that good enough? Or is that... What do you mean sorry? Can you be more... What do you mean by? So let's say I have Ubuntu 16.04 or something like that and that is currently not signed but from a workflow perspective I have a signing mechanism that can go re-tag Ubuntu 16.04 with the signature information on top of it using an index. Is that acceptable? But part of the thing we're debating is once it's signed to Ubuntu 16.04 regardless of its path and registry can you rename that? Can you change the tag or Ubuntu? Yes, because the discovery is through the index. The index digest is all that matters at that point. If you're pulling by index then you know that yeah I'm pulling the signature down and the signature can have what the original tag was where it came from who the claims or set of claims are it's an extensible model at that point. The only thing that you don't get or rather honestly you don't have to go back to notary to kind of get the signature from hands forth. That's the reason why extending on the index just makes perfect sense even from a discovery standpoint. Today... I think we I think we all agree that index is the way I was talking to Sam I couldn't understand why your index when I manifest why don't I just sign the manifest to remind me once you change the manifest then you change the signature and it's like so I think that level of detail that you provided makes a lot of sense. I think it's literally just a matter of do we think some level of strings in the path are have to be locked or do we not? And I'm actually on the fence on this one I actually really this is one of the few things they don't have a strong opinion about. Today it's locked, right? No, well sorry today the whole path is locked. Yeah, the whole collection is locked. Can we compose this conversation into groups, right? So there is the qualified path. Do you want... Can you bring up the the route of the notary spec? Sorry, sorry, the our notary project I put the I put the I put the I put the I put the I put the I put the I put the it's not it's it's like it might be consistent it might be consistent I'm actually saying it's a point to it. I think there's probably that it sounds like the conversation should gear towards you know, if we think we can divorce these things a bit fully qualified path names sound like it's in a category then there's name of the asset the name of the container itself might be be and then there's the tag and I think they all have different variations by which we're willing to separate them or divorce them from the existing signing experience and and introduce portability for the asset to your slack channel Sorry, I'm trying to give you some visual the point that yeah But does that make sense? I think this conversation even from last Friday we went from fully qualified path name into path name into tagging and I think we need to decompose parts of this the name of this asset of assets in general right yes right to this end because we we continue to go right through fully path fully qualified path name into the name and then we add down tagging we need a little focus on I broke up a couple of examples there just as a way because we we do refer to these things differently at times so I was trying to provide it sounds like there's a need for portability across fully qualified path names like where you actually pulled it from may or may not be as important as the name and the tag is what I'm learning now right and so can we turn it up then we'd agree that everything on like here this is the registry like this we refer to this is one path of the registry but there's a path then there's what I refer to as the actual artifact this we has to be able to change because it has to be able to go from Rockwell how to ECR this has to be able to change because people use different namespace that represent prod staging and different teams and so we're okay with changing this and then and do you say being independent of the signature that's right that's the thing right everything right well I I don't hear that all the time I don't know if we think I don't know if I would agree that the repo get on tag as a sufficient namespace for the universe well we don't go there I'm don't go but I mean so I don't you know I maybe maybe you you want to go there I mean you know I just I'm not sure that yeah I'm just not sure that's enough of a namespace to give everyone anyone this is part of why I was talking about having some sort of canonicalized name something like maybe as much as you know the sort of reverse DNS type yeah like org example dot my application something this is the name of it and that is divorced from the location of this yeah yeah but can that be in metadata of the artifact okay so that's what I literally try to treat this as to cloud fire like when I put stuff on my server I put things in different directories depending on what I'm trying to load it where and I do move them into a backup folder and so forth and I just view this as this is where I happen to get this thing if whether where or what folder I store it what path I store it and what share the registry I store it and it's going to really matter I'm a guy program that I store everything on the source get up there we've seen how that how that works out well is that me no no no please move an image from docker hub to ACR let's say as a company I am okay that that signature remains valid yeah I would want it to remain valid I want it to remain valid if a vendor has put an image on docker hub that they want me that I want to go use and I don't want to pull it from docker hub every time because I'm concerned about things like latency from docker hub to my end to the cloud it comes on or availability because I don't have confidence that the registry is going to remain up or that the network link between where I'm deploying things and the registry is going to remain available I want to move that into some place that under my control but I still want to be able to validate the signature that's the whole point of signing is you don't care where you got it from you don't care about the repository you're able to verify through the signature and that requires that you can reference the thing you're signing in some nice good it means that we need to to not divorce the the concept of where did the thing like where did you download it from from the part that you're validating just to give an example we build stuff for MCR on the registry and full transparency MCR has no right capability nobody's ever going to be able to push to MCR which means that it's got to come from some other place so you cannot build in that domain at all but yet you want the signature to say that it's coming from MCR so how do you do how do you make this if the signature is not portable and can be signed in a secure environment that doesn't allow you like domain access of that end point in any form so the point is the portability of the signature is critical and that domain can most likely will never be where you're you're not going to run it on the on the front end to kind of be able to build our domain meaning the this part the part of where the registry is living so to me the the image reference which is the full reference is what you want and OCI has a well-defined annotation saying that the container image name reference something like that that should be in the claim because claims are a well-defined way of just validating stuff and from a if you're writing an admission control or something like that you should be able to validate that the OCI name that's got this that is the canonical set of notations that you're saying it's a thing about a full canonical yeah that's here about DNS thing is that the same sounds like it's the same concept it's not although I don't know what your concept you're referring to are you referring to tag with that annotation no there's a couple of fully qualified there's an annotation in the image spec that's called or open containers image ref names I didn't remember yep that's what you're talking about what's the definition we're independent of the fully qualified name the name of the reference is before it's forget it is the fully qualified name so we didn't get it's a way to be the name outside of the registry because it's it's in the content instead of being like just where you download it from so this is a string that gets embedded into the the content that's here you guys just said two different things but I think I heard but what I did here is a way that versus it right yes the fact is is that it was at one point time the fully qualified name at its birth yes right yeah at birth there's an at birth date or whatever this is this is a place there's an at birth place yeah that is defined forever more possibly in the of the OCI image names so what I'm what I'm trying to get to is that name can come in through the signature because the signature content can be anything well then you can bother say it was when you get it well asked that yes there with that no that this is a label that's supposed to be on the the label on the index that's that's the sign it's a label the label it's a label sorry my so there came up for putting these kind of metadata in the image already that's if it lives as a signature claim can be validated out of that before you even pull the image saying that this image has to be X or Y other than the fact that there are zero images in the world with this reference on too wild I think there's zero images with this new notary toon sorry the motion either I think there's there's no no okay but we'll have to okay but we'll have to change all develop tools to well anybody that's going to sign has to find challenge here is if we're going to rely on this annotation which I think is that's my opinion that's the right way to do this you have to have a way to specify that as as the input to your validation operation as well like I'm expecting this to be the reference when I'm pulling this image and it's different from the location where I'm pulling the image from and so it comes back to the two inputs when you're pulling stuff so which maybe it maybe could default to where you're pulling it from is it it may be what default to where you're pulling it from perhaps but maybe but maybe not not not not if we're making a profitable developer experience is useful but let me just ask a call thing to come right fully on how this thing is created if Justin signs something and he signs in and says com.docker.who what stops me from signing something that also says com.docker.who nothing except you have to check the that the you have to check the signature is the one you expect for com.docker you check the signature and you may have a point of view in your in your trust you might have your trust policy it says I only trust this key for all signatures that claim to be com.docker.anything yeah but it's and then if you mind by a different key then it's going to be invalid regardless of what what's there if I'm a little bit too input to talk about the final front why am I going to pass them to as long as they know this like I'm not I'm not saying that the string isn't invalid I'm going to that it's not valid that it's not useful what I'm getting it is it seems like more helpful interesting information but really at the end of the day I trust the docker key could be right until you know until I don't like any of these things I will trust it until I don't and then to Justin Kaplos's thing at some point a key will be compromised hopefully I'll know the date sorry one question here because you don't trust the docker key I do for until the point for Oracle's content and you trust it for docker's content yes so scoping is very important yeah so there has to be the stuff that can't say that nothing comes from docker yeah by some me what I don't understand you don't trust me signing something and saying it's my tickle but that's the thing is until and I'll just keep on using the docker one just a second as long as I trust the docker sir and there's no information that says I shouldn't trust it so I'm going to start with trust now if somebody steals the docker sir and starts signing Oracle content I'm assuming that they're that they shouldn't go out of this way to go make sure that hey folks the docker sir got you know compromised so now all of our new content that key has been revoked here is the new docker you should you really shouldn't trust docker signing things that on someone said something's bad has already happened by we we've jumped at different scenarios I was trying to use a scenario that for somebody the docker stole was stolen to sign Oracle not that Oracle content was put on docker but it doesn't matter it's like it doesn't matter where where it comes from like if you see a a signature for Oracle database that says it's signed by docker you should not trust it regardless of but how do I regardless of how great you think docker is there's something gone wrong though but what is it that tells me it's Oracle versus docker but the Oracle is just an arbitrary string in this case unless you're saying it's something but you you need to know that you need to have a mapping between keys string you need to know in this case and that's what I'm questioning is that something that seems like an extra burden so this is a building that's a lot of money that's a lot of work that's a lot of work well I think we're working out what the usability of this use case actually looks can be here yeah absolutely that's good for okay okay but I think I don't think you can just trust yeah it's all going to signature for everything that will be not very exciting I think it's a loaded one I think that there is you're assuming and I wasn't thinking is that all the stuff that goes on docker have this signed by docker is that what you're kind of jumping no I don't know I'm not suggesting it's a good thing but I'm I mean that's not even like even that's I mean right now that's not that's definitely not the case no no different names the my sequel the my db signature for keys the my db force signs the my db image Oracle signs their images they both might put them on docker hub yeah there's no docker key in this case so those two keys are two vendors that I trust and bad guy is the key that I don't trust but you I need trust them you only trust canonical design if once you you don't trust canonical design my Oracle yeah definitely I I there needs to be a mapping that I don't understand how you're making a leaf that there's a second name that I know on comparing as opposed to it's an arbitrary string of the the artifact that I've referenced could I add something here please yes yes so I I think there are use cases where you might one both actually you might one one or the other I think if I understand correctly what you guys are trying to say is that so what Steve is trying to say is that in some cases he wants a way to pin trust a way to say if I somehow know Oracle's keys I want to make sure the docker somehow doesn't pull a switcher on me when it presents signatures right that's one thing the other thing that I think Justin is hinting at is that sometimes you may want to trust docker to tell you what Oracle's keys are but in these cases his stance is that by default you shouldn't trust docker but if you wanted to there there needs to be a transparent way to distribute in a remote case does this make sense yeah I just I'm trying to I agree with that mind of the implementation I don't necessarily I think we should divorce the two they are separate problems I think we talked about sort of like how deep a PKI we want to set up who manages that and that's a like how do you validate that this key belongs to docker or this key belongs to Amazon or Microsoft that's a separate problem to solve for this I think for the naming perspective let's assume that solved and see sort of like what we need to do here because that's that's going to be a much longer conversation where we have to talk about like are we going to trust a central sort of like our distributed CAs are we going to trust sort of like keys that we get from organizations I don't think we can cover that in sort of like a 10-15 minute discussion 200% agree with that because arguably the other end to this is that I as the person consuming all of these packages my business is to run whatever I deem necessary please don't over complicate it so you've got to give me there's got to be something flexible enough that lets me be successful with ever risk tolerance I have in my portfolio but let's not leave this the naming so I'm still no closer to our common view on naming right and I think you were just about to walk us through then you will want to do a name construct that gives us I mean what you're your example right yeah I was starting to write stuff but it doesn't matter what I'm struggling is how do we correlate the second thing has a semantic meaning as opposed to it the string happens to have the word oracle on it like it you're arguing that there's an actual real meaning that the doc can we start with the easiest use case for you and let's start with because I think it gets complicated when you start to have multi vendors and multiple keys and different rules and I trust things differently just give me a standard package that I'm applying a signature to that I think needs to move today I'm going with Justin's images I hope you don't mind that's okay you want to pull an image that Justin and push there you can write Dr. Paul Justin too and the Dr. client transforms this into a location on Docker Hub it's just that's the hard-coded default in the Docker client today and one thing that we could do is we could say well when that happens we're also going to transform the name of the image that we're expecting there to be a signature and it's going to look something like that and we can validate that there is a key and it's like Justin's key that we know and we can say yes Justin's key was used to sign this image yeah okay I'm sorry what is the right what is Justin's key signage have to do with this string that you put at the top for comm.docker at Justin's your this name is not exposed to the client right in any form could be okay so this is something that that the by convention or some annotation or some kind of entity that you're going to look at when you validate the signature yeah yes and if there is no validation then you just continue pulling but yeah okay yeah mix up so this is assuming that this is the value of that annotation that we were talking about okay like if you want to pull from I put it somewhere a different registry on a different location how do I know that this image should actually be transformed to that so I think you have to have it as a second input here then you have to say something like name cool I want to go now I think well minus minus from or something yeah probably like that from being you're getting it from a place or that's the annotation name annotation we could do either name could be either way could be either way round yeah some you have to specify then both but which one is the what we choose is defaults and things is a UX question not a yes this was this was the root of the question I was asking or is how much impact we're making on the industry like do we expect kube deploys compose every other thing that knows how to deploy which is to now specify things as two names well regardless of what you do the moment you say here then use spec and this is how you're going to use it to prove and to sign and to validate the signature you change the CLI even if it's and you want to keep that to follow for I'm right to some extent if we can keep the referenceable path the same and the kube deploy files and all those other files don't change you mean to the implementation configuration host thing like I'm going to say that this host that runs my containers whatever it is CSKKS whatever that all those kube deploy files that are people using across so whatever the scripts or don't change but I can say on my host I only trust things that are signed from these entities so hold that in this I specify go get me Justin calling foo but get it from there instead right correct okay but let's say this was signed Justin who is signed are we stating that that that signature has quote-unquote ported over because that image is in a separate location but the signature has moved over with the image and this client trust the key this this client knows to read this value that run from there yeah and has a key that it will be it's valid for this and can use that key to validate the signature that is present okay actually how does that happen how did what happened how did how does the docker pull of Justin calling foo from that registry validate that calm docker Justin who is still valid I can understand how that information how did it get the key I'm trying to or how did it difference between is this the idea is that you're because you reference it as mirrored slash something we else please no it's no the keys and no nothing in this yeah this is arbitrary characters yeah so we didn't trust you have to be able to get a mapping from you have to get a Justin caron for you to come to docker Justin caron for you yes yes actually so I made it up or that's fine I made it up assuming docker hub yeah right assuming sort of that but because we're trying to talk about the simplest case the simplest case in docker today is when you give it sort of a bare image name and it says that means docker hub and so you can have similar transformation watching it's quite really something that I'm just passing when I sign it or because that's the registry I went to at first you're scoping it to become the trusted name when you get it from a target I'm asking how that's got because you can always you can always you can always sign it explicitly with a name but it might be the default if you have say automatically set it up if you push it to docker hub fine if you regardless of what registry you could if you currently yeah so you could always sign something as mtr right even though it doesn't get it's nice having it pushed by to mcr right it does eventually but so that that first argument or if you say from that is a that's not a the choir only when you need to validate the signature so validation processes in it also from was just pointing to its new location yeah but you don't need to specify I'm trying to you're doing signature validation yeah that's to me the the fact is the last name is the workflow the first part is the validation step where hey I want to validate that it's coming from Justin food but that's where I would deploy from I would never deploy from that so just from a usability standpoint I think flipping it around I think I think that's my answer yeah yes and I think that would go around and I think where I was going for last time also was like you may want to use that extensibility to just to say here are the additional set of claims of modality and that could be anything that's captured in the metadata so just to drive this consensus we're thinking that the location the signature has to stay with the object even though the object to me moves yeah yeah yeah we all like that lovely idea yeah yeah weak yeah I think it's 100 percent right the second thing is because the container image name input has location in it we have to dive forward to the system split that out so you can sign it we're thinking there's an annotation in the OCI spec today already that may enable you to do some canonical naming of that object now in signing we may have to use that or like like sounds like writing out here when you do a build you say this is my canonical name that is said he signed it up together now you're done right but when you do the pull you have to be able to go back to that map and say I'm getting a canonical name of this where's my he that says I can trust it yeah I don't have a question about that so much as getting to the canonical name but I think at the end it would be a slightly different flow it's less about here's the canonical name where's the signer it's more about I trust the signer you check the key and then which canonical names do I trust from the signer if you want it to go down that deep and then you see if they match because some people may say I just trust the signer I'll deploy anything with their name for some you may say I only trust these canonical names from this publisher and that goes to Trichon's options you might say for example that like I have my own key that is my QA and this key is validated is valid for asserting any claim yeah right right but that's my key I control it so I'm going to generate a signature it doesn't matter right so I just have to answer right what keeps me from signing it as those that do me isn't dot com dot docker dot Justin you won't have the signing key you won't have the signing key oh I see because you're correlating the two together well when you find the image you're going to give it a key that you find with all invalidated I don't I don't trust your public key to have signed that namespace agree but let's say you do sign trust my key I'm Oracle you actually need Oracle software from Oracle and docker but I don't trust Oracle to sign com dot docker dot Justin so I trust Oracle to sign I trust Oracle to sign com dot Oracle what what does and I don't trust Justin to sign com dot Oracle I only trust Justin to sign com dot docker dot Justin so where's the mapping of the signatures you have you have defined that in your trust policy what is the benefit of defining two names versus I just I trust Oracle to do the right thing for there's their signatures there's each packet you're only you're not sold of entered you're getting packages from multiple vendors right so it's a smattering of who you trust and the packages but I'm but I'm getting this I have let's just say I have two images name if you want to I mean this isn't the weakest model we could build there is a weaker model basically where you basically just trust anything that's signed with with a particular key say for example I'm saying I only you're running any software from Microsoft regardless of whether it's flight simulation or Excel and then you don't need a name you just because you're trying to differentiate because what the scenario you're getting is oracles now sticking Docker strings in there I think if they start doing that I should flowery you could do anything ask him he'll tell you but they he'll hold them once you're making a different point that I don't trust the games from I don't want the games from Microsoft running in my environment I only want and I trust that Microsoft is putting the right the name naming domain name things in there so I can exclude certain things I just don't want in my environment I got to interrupt the other one one I mean we we could we we could support the the really weak model too I mean I think it's something that's come up a few times I wouldn't but what do you mean by the really weak model the really weak model is we don't have a name as long as the the signatures as long as the signature is in your signature policy which might be just so I just run stuff signed by me is the simplest policy or just run things signed by Microsoft if you know I generally you'll probably be the only one that really makes sense is just I'm running things signed by this key which I'm going to use for prod I don't care about anything else I don't care what it is but it says that if it's signed for prod I trust it's gone through my workflow and it's okay and that I mean that model is is significantly weaker because it doesn't protect against rollback or cross attacks or whatever but it might be it it might be more usable which but leaving it's definitely weaker so it's leaving how we validate the keys and who trust pins and all it to your point it's going to be something you have to solve regardless right the the bigger point is we all love images have to get moved the signature moves with that image right and the way to do that would be using some sort of annotation already in the spec right and what is the consequence usability change for a client's workflow when I I'm actually I'm kind of making an argument that I don't know if we need this string I'm questioning how much extra value it gives us because it changes the UX for people are used to correct but we aim we shouldn't solve that look at the signature without it though we're going to solve that right this minute we have to break out groups to actually try and solve that uh I'm more worried about the the he is trying to advocate for the even weaker model I think you keep on referring to even I don't know if it's weaker versus it's not it's definitely weaker it definitely doesn't stop rollback attacks you can run so you will you cannot distinguish between my sequel three and my sequel four because they're both signed by Oracle so they're effectively identical so I can I can basically hackage your industry and stick my sequel three under the label my sequel four and you'll still run out and it could have found the versus it if you were able if you got my sequel key but if you have my sequel three I'm going to not crush you any my sequel three is already signed by Oracle I can find an old signed copy Oracle signs all versions of my sequel yes I I I don't know that we went that far I don't know that this was a case again tell me to shut up but so this is not simply a case to speak to the the provenance of an asset which is kind of what we're talking about right first up here was divorcing name from yes signature that being said I clearly think we need some illustration of provenance which is kind of the next discussion right provenance knowing that this package was signed by whom do I trust that person yes or no frankly did does my corp when golden sacks get something and they signed something do they override every single like you know is there some is there some notion that nears was raising a moment and go before about how complicated can the pki get and then what is validation look like I think that's the next conversation this this fits well right well I think I think this is good I'm sorry what Justin was saying was slightly different in the sense that I have signed a version of my software and that and that's I totally get that let me close up why my point is intended to reflect that I only I've only approved version 3.0 for my organization erin.lynch.org I'm only ever going to allow you to like I'll sign off on the packages but you can't do that with the base verification is what we're getting at with the base verification yeah but I wasn't relying on base so you approved my SQL 2.0 at some point and now you moved to 4.0 knowing that there's a vulnerability in 3.0 the 3.0 that you signed at some point is still out there someone can put that back in that signature is still valid but I could actually have a policy that says if the names say part of the signature and the example that still says my SQL colon v3 and then there's a my SQL you were lucky for a version without names I was arguing for books actually but I'm if you want a nice but I'm out of getting back for names because in that case you don't have to get back for names again I can't then the my then what I don't have to revoke a key so what I can do is have a policy using opa whoever it is whether what your policy manager you guys use but whatever just pick up a policy manager and I don't allow the colon v3 oh yeah I'm not sure why I don't revoke if I know that that's a known like don't I why don't I revoke that well because the problem is is that you might need that running in a different environment because you haven't figured how to mitigate that environment you don't want to revoke the key hole you start putting policies and it says hey this environment allows us to in the next 30 days because you know Sam has some remediation time to fix his app that depends on it but this other environment doesn't actually have any problems there we can actually put a policy that environment be is only allowed to run v4 or it's not allowed to run v3 whichever rule direction you want to that assumes that there is name level validation yeah I was I was I was I was I was so have you have you agreed that we at least require names I mean that's I mean that's we don't get I I'd like the flexibility of some of the stuff we're talking it's scared the hell out of me to have to ask every team that has designed this a templating text file that that's if I the names of their images that we're going to ask them to somehow put this other thing in there and if it depends on it I don't think they will and I don't think this is assignable you mean when they're doing the build if I'm doing it not not of the build the build go less worried about because they are going to change signing at some point but the validation work for workflows that go through the kubernetes deployment files that go through on the on the DIT system on the pole side you were saying Cedric that there would be another way you design the pull you'd write the pull yeah I would pull as to I would just go to my source but the signing one would be the other side so can you it's just it's just a minor detail this will be the ability to say so I would still say an offer full and still be a registry dot on slash all the enforcement options would be signature validation options or signature name options which would kind of be flagged on the back so I can say validate tag with name or something like that the name can be fully qualified in a for of the resource can be pleased but that's something that we can either define as a as a configuration or whatnot but the reason is that if I don't pass these in and there is the environment that is kind of like a the never mine then it doesn't stop me from I would not have to change all the who says it just used to be for docker model of you can still deploy with an image is not worried about passing in names I don't want to change the basic so it's been an hour and 15 since we started I have a quick question here for clarification how does docker like if I do docker pull how does it know which keys I trust today yeah trust me now like well we're trying to get away from that model right so you almost um is tested by something to tell it where you trust yeah nothing to try to get away from a model per se it's the model we have doesn't flexible enough right that's more of the problem so it's not like we're really trying to introduce that flexibility does that necessarily mean you'll have to change the ally to get that flexibility yeah you need to trust to if they go to so today you do docker pull and you'll get the link from docker hub I mean at the moment with nature I mean there's I mean tough really be one of them in an idea world or be one really key docker um with those review one as you as soon as largely trust on first use because of the larger number of keys which as we discussed last week I think is a really bad large model for something where most tastes are ephemeral and first use is possibly ever used yeah so so though having a small number of keys is definitely um an advantage in terms of because you don't want um or you don't want to have to specify hundreds of keys to basically yeah so yeah thank you key one of the are yep go ahead sorry funny and remote thanks thanks sorry could I could I slightly clarify how how it works what Justin's saying is correct um so the way it does works is that that's basically at least four different keys for four top level roles right and the root certificate is basically like the the root certificate for docker.io and that's really the one yeah they should really be one root for docker.io and the way it works right now is that everyone manages their own root per image which is not ideal for the reasons that Justin described so there's a way to do it where you have one root docker root and you can split the trust and you can say well docker give me the key for our article I don't care I trust you anyway or you could you could add bidding mechanisms and say docker nope just just give me signatures give me the images I'll check it myself using keys I somehow got out of that no I get how it could work my question was more around do we need to change docker full to even address the base scenario yeah I know that's exactly what you're saying it's like today customers do docker pull and regardless of what you do if you want them to get a signed image no matter how you do it you're going to require a different docker pull to be a live comment I don't know I think so thought because we were playing with this a little bit like today there's this environment where you get set so but you still docker pull and there's a background thing that changed the configuration behavior so when I think of like the the thing is I as a developer I'm saying here's the image I want you to deploy I just want to give you the image now Aaron sorry yeah um Aaron required for security so he's saying hey in this environment you can still pass the docker pull but unless it matches these collection of keys it's not going to happen so it's nice and what you can do is that you configure those you know various hosts to say at the host at the running operation level that the pull command still the same command but there's this background configuration that says I'm only allowing these keys of these paths and the opa policies can do a similar kind of thing the person who runs the pull should not have the ability to pass an arbitrary key it should be at the environment level configuration otherwise the policy of the admission controller cannot enforce certain policies so ideally the pull command should not change it should be the same the aspect of things like trust spinning will enable you to set what keys are permissible at what scopes now the problem is you're not getting to trust spinning at a scope level because of the way notary and trust spinning are working today my hope is that we can come to trust spinning v2 if you're doing notary v2 where each you can specify has to come from the signature and things like that that way when you author an admission controller you get much more granular capability so the user doesn't change it it should be at the controller level so now we're talking about how to make it happen yeah not talking about the fact that we all want to make sure that you can find something independent where it's posted yep I'll move it around keep the image thanks the signature with the image and we're done okay it's like doing our renovations to your house there's a certain amount of things you can change and certain things you can't and I'm just trying to figure out what do we really need to take out that wall that's supporting the roof and we've got to put in a beam to change it I don't know whatever the right analogy is I'm nervous about trying to change any of the in between the time is built and the host that's running it any of those experiences that require changes is in the context the high risk in the context of configuring trust or in the context of identifying the unique identifier the security people like you two really don't give a shit about containers you're just trying to support this environment you're going to impose some rules on this production environment this team that's been building all these containers for a while they shouldn't be impacted you should go work to the host operate the host thing that's running this workload and make the security configurations there and we should not and because to see if we can roll it back so whatever many years ago when this thing started you know with a lot of things we would change but to minimal impact on changing the environment that's the main metric I'm just trying to poke at some of these changes where and maybe I'm too early on being concerned about that based on what I just heard like why can't we then just configure the policies of environment variables as well and let Docker pull state of the way it is that there's something else that stops the environment variables don't really work for like Kubernetes yeah yeah environment variables that's a lot of configuration that's important something to change on those what do you change by environment it's going to be yeah it's going to be it's not that it's a conflict that we can use for different types of environment isn't that another persona all together to the to the point that there is there's a series of tasks to enable trust for the lack of better description here right that's a separate role separate persona working in that at an administrator level for these to enable these security policies who do I trust is a fundamental question we should all be asking right but that that workflow it's going to be there anyway when do you make that choice set up of a certain environment set up and change based on what's next so it's 320 right we've done a lot of talking and I don't think we've gotten a lot of questions or at least feedback from the remote participants one and so well it got to the point where was that Trishank actually put something in the note saying we need to make sure we talk about this thanks Trishank that was cool do we want to take a five-minute break yes we do we should we should we'll take a five I'll try and take what Sam wrote up put it in the notes and then we'll see what's the next thing because it looks like we're in violent agreement about what needs to get done with the name and the signing and now we're getting discussing about how it happens just go I I okay are there any other roles I don't think quite as soon as the macro I'm still struggling on this conversation of which way what is locked and what's not so those on the bridge we've taken a five-minute break but I can I'll keep the I won't need here so you can listen thank you are there any other questions well after we start I'll get a circle from the remote to see what we did now I went through one round of cook the board set of folks then even I think encryption people I mean I guess you guys should also kind of like this is something we might have discussed the digest of the image you want to consider this a secret because there's an attack vector that and we discussed the map mm-hmm it's a little discussion mm-hmm not for this yeah well so I'm kind of just and this is also generally my fault because it's another stuff that I'm slammed with but there's an existing state of play with notary V1 that's for many reasons the industry is not adopted yeah we're going to do a notary V2 in large part to ensure that the industry does adopt yeah okay therefore there's certain things that are good let's keep those some things it does not you know very well which we have to change what the heck are those things that it didn't do that we want to change so far ever one one it has to be able to move yep and we like sweet now the next step is how do you implement that that's okay the spec has to be able to state that I can move it and here's the artifact mechanism by which to select up here I'm not worried about the second part I will solve that what is the other bad thing about V1 we didn't like that we need to be able to change I didn't want that because that's a requirement that's a core statement the single point of trust is one issue with the way for example and right now also the collection is the other thing when you have a large number of tags you're signing the entire set there's a lot of issues then these are important these are one month before we get to cook on and I know my god and you don't have to leave stuff I have to be ready to go to the PR for this like in my own head you put it in like keeping it because I go to the PR for this from my head there so we have to move spend time on the categories we had we've did a lot of this on project too well there's something we've cut through the scenarios today scenarios where we were I think we were trying to capture all of these these things yeah okay perfect that was sorry somebody saying something on the bridge yeah the one thing that I'd also like to touch on after we we start a conversation is what is the actual object that we sign when you sign a container image you can write that that's a different image right here which is local in time when you build the image and you have to call content digest which is the hash of the manifest which is generated well after you push right yeah and wait a bunch of times specifically you can have two different image digest generated for the same image by two different registers okay write it into the way registries compress layers so even if you try if you attempt to move an image between two different registries you couldn't validate the signature simply by the registries having different compressions on the same layers right I think the way we were looking at what design was leave that discussion for later and identify what the requirements were and then when you get it just kind of like copy this one down over here we'll make this so there is copy on the second floor where does it have to yeah give me a sec all right ready I got that I've got to go and copy okay yeah just want you all to know we're all counting on I just wanted to say hi I'm between I'm between meeting so anyway that was all for you I'm Bob Wise I'm the GM for Kubernetes hi at AWS so and I've like stuck my head into the news and on time yeah we met briefly thanks yeah yeah yeah yeah and then so I at least we met some of the working news so apparently not everybody I'm at AWS oh you're with AWS so nice to meet you very nice to meet you yeah it's like I tend to get involved in all manner of open source fun stuff as is indicated by my title here so sorry thanks you shouldn't mistake what I was saying a moment ago you should trust vendor signed packages over like right the ultimate source of truth is the signature is generated by the person who holds the key and is responsible for that package like those things that is kind of an ideal state I was just looking for flexibility well I think that has to be true I also might need to say in this case maybe I just trust them like there's a validation team that I as a business might just go with right so I trust that Justin is doing the best thing for my organization and my time to market is greatly you know patient if I just kind of go this path I don't disagree with this whole notion of I shouldn't rely on Docker designed for anybody else at all yeah I mean the question is really how were you I mean there were there are a lot of different workflows and levels of complexity that people want to implement so we need to provide ways that they can do people can do simpler or more complex things and I think that's I think that the in a sense the more complex things are easier because you can you can clearly go and examine lots of information and make detailed decisions and then sign to say that you have done that for example which actually could encapsulate a very complicated workflow or you could do that at the point of I mean you could validate all this stuff at the point of running as well but maybe you want to add it but I mean those kinds of complex highly configurable highly detailed workflows are kind of more straightforward because people are prepared to invest for in doing them and they're going to do them and yeah but we need we need simple workflows for people who are not prepared to invest a lot as well I'm kind of less worried about the complex ones because I think we can if the opportunities are large enough they'll sort themselves out as well and they're great yeah and they and and adding adding options to more complex things is easier than adding options to do simple things yeah trying to remove stuff after agreed agreed I totally agree and by the way we built we break these things down to a common building block that is arguably reusable right and so this kind of the notion of decomposing these that complicated scenario into almost where you were going minus the marketing term weaker but but you're the alternative way of marketing that is here's a straight straight forward example oh yeah I mean that's the thing I do think that um that we should consider that this is not the simplest case that's useful I mean I don't want to oh this is not the simplest case that's useful yeah I mean I think that that's what simplest cases I think the maybe I mean maybe that maybe if the weaker one is much easier but still gets you something is that worth having anyway I mean effectively it's um I don't maybe maybe doesn't give you enough to be worth anything at all maybe it's one laptop stickers I have some else here laptop stickers that would be me I haven't got any from my mind I had I got a new laptop a while ago and I'm I'm completely re-stickering yeah that's the way laptop is sure do you have any where did you pick this up from do you have any Amazon laptop stickers uh at my desk yes it didn't bring nothing but if you want you got next break I will go get some Amazon ones too because you got some kind of nice ones which ones do you like I saw you I wouldn't get them earlier uh actually your Seattle guy for is particularly nice I don't have extras though but um the um the UCR one is nice I'm not the UCR one which that's one or this one oh I looking to see if this one's a really this is an old one these two are really old I remember yeah I remember the ETS one the guy had a t-shirt with that one on this this one on this ETS in space this one's this one's not being used anymore when we saw this one I'm fairly sure I had a t-shirt with that one on one point um I don't think we had a t-shirt with this one we had a t-shirt that was sort of similar but not like that maybe yeah not yeah there was another sort of spaceship he designed oh okay it would have been a while ago get some fruit I'll just say some phrase it was very nice because I'm not damn fruit veggies something everything water is healthy that's what I have right now is that where you want to be yes where is that I know I downloaded this so this is not a you like that's not where I am though I don't know yeah but so I've spent a lot of time on the east coast specifically the southeast right and so those white fine grains beaches that's ours that's ours and I don't have no idea but this reminds me of the Bahamas crystal blue water sorry we're waiting for actual coffee yeah I think it would I think it's freshly brewed all right we'll just start it again on the bridge there was a lot of talk over here what do you want to make sure we didn't miss around the concept of making sure the image can be moved from one place to the other but the the signature stays I guess valid yeah this specific example was because right now we signed the hash of the manifests and registries can very well generate different manifests for the same content means the signature is automatically invalidated just by the fact that hash that's that yeah that's that's not really true and it's also to some extent not our problem to work I mean fundamentally that shouldn't be wait that's that's that's a that's yeah it's truly about I think we we I I guess most of this comes when people have been manifested to be constructed because of things like Jason pretty fire and all the stuff that kicks in so technically if you pull the manifest and push it as is the content should be the the content and I this should be the same it should not change there are scenarios where it does happen the part of problem is and maybe this will change between the old docker stuff and the container these stuff where it's the compressed still sticks around I think yeah yeah the the other thing that can happen is when docker pulls stuff it uncompresses and untars the layers and then throws everything away yes and so he continuity doesn't when you read when you want to go push that it has to reconstruct and it might tar the file in a different yep yep so that choose different compression settings and all of that's going to change your danger this is too it should be a tooling but I think signing signing the manifest also means that you can't really sign the artifact at build time but you have to do it at push time as well no that's also that's again a tooling artifact because like your you've just got tooling that doesn't give it to you at build time but it actually should know it by then and again is that the docker engine has that now but container D does not do that just use container D and you all your problems will be solved yeah I think no results for container D you have to across container D will give you the cache at build time any tooling that uses container D will do that so wait but the macro question is is signing the manifest enough what do you have to sign signing the manifest is the correct thing to do fundamentally but I think that it's like what are the options I mean there have been a few people who won't have have come up with slightly strange use cases where they want to sign individual layers and things like that but I just don't think we should support anything like that it's just too complicated for you I bet fundamentally you want to sign you would you just want to sign the manifest because that's like effectively what the image is as far as the registry is concerned there's one case I can think of where maybe signing the manifest just by itself is not super great and that relates to when you're doing image inheritance so if you take an image you like have a docker file that has the first line is from and you want to build a new image from it and you want the signature of the old thing to still be valid there's no more providence you won't have the original signature be valid because we're not preserving all of the things that are in the original manifest as well and that relates to if a construct is not preserved so if you also preserve that you could address it or you could say I only want to sign the collection of the layers instead of signing the manifest as a whole I don't really know if I think this is the right answer I don't think those are the right answer I think the right answer in those cases is to you know use something a lot like in Toto at build time that basically will make assertions about the things that they used to make a film from and and to have a reproducible build scenario where you can re-extra that and and some tooling that can look at images and tell you things about them so I just I just don't think that I just think it's too complicated to be done in as part of a normal workflow just because because of all those things you brought up that basically make it like there isn't a compositional model in ACI that kind of gives you those properties now and again maybe you should maybe we should construct a compositional model that's more compositional that we haven't got one right now and I don't think it's I think it's our job to find things that exist not things that might be useful that they exist is maybe so everything we've signed the manifest or the digest of the manifest we're actually very hand wavy we by signing the manifest we actually mean signing the digest the size and the media type of the manifest because that's what the register that's what the spec actually that's there that he is the descriptor are you wait descriptor yeah are you saying the whole descriptor I believe we I believe it's the correct thing to do sign the whole descriptor including the platform annotation things that are in there and the other annotations as well or do you sign it next this day or is it I I think probably the whole thing is the correct thing to do but I think that's something that we need to sit down and so it's a Derek's got a lot of opinions about that I think Derek said of the opinion which is signed the whole thing the whole thing the whole descriptor the descriptor which is somewhat different but I think it doesn't technically make any difference like to the from the sort of cryptographic point of view we're fundamentally you're signing the hash but you might be signing a little bit of descriptor as well because that's how for the registry actually retrieves stuff and works but but it doesn't it's additional information in addition to the hash so and it has some anointing but I think it's probably already and that's that's the question and thanks a lot for the first part the first question was whether signing the manifest or a hash of the manifest is the right thing to do and thank you for the answer on that the second one is the second question is do you get the guarantee at any point that all registries will yield the same image digest for the same content and can I as a tooling author rely on the fact that the same image will have the same digest across registries that the image is defined as as far as Reg is concerned about having the same hash I mean it's a content address both door if you push the same content to it it's the same I mean it's you just got to be very careful that if you push something between registries you push the same content which the tooling is the new tooling is designed to let you do yeah they've been tripping over the old tooling yeah we all tripped over the old tooling because while a bunch of people are working on the new tooling the new tooling is not in the mass market like most people aren't using this new tooling because we haven't declared anything of v1 or vn so we got to get that the point and then you guys will you as docker will probably merge that into your client tooling and everything but I think we we sometimes forget I mean anybody's actually using have we heard anything where not we're signing more than just the descriptor the entire thing is the right thing to do trying to append the point next or you just asking is there any other thing that we would want to sign no the descriptor is pretty complete that way so I totally missed the fact that the content actually changes depending on the descriptor requested so when you push the artifact you could push it with today today if you push it out of the rocker v2 the up conversion will or the down conversion will be the problem at that point so the descriptor will prevent that kind of an issue so the manifest changes depending on what you request to the registry and if you sign the descriptor it is pretty complete from that way it doesn't you can and signing the descriptor doesn't spoil portability many a fashion no nothing in that descriptor that goes up and tells us it's a manifest plus some other data there's nothing that says oh that's from docker versus acr so I mean what you were saying about the manifest changing based on what you're requesting so what happens is that we actually so when when when an image is pushed we save the original content digest of what is pushed then depending on the client you get different digest because you can have an OCI index or you can have a docker v2 index I'm sorry you can have an OCI manifest or v2 manifest being pulled and the digest will be depending on the acts of content header you're doing you're doing conversions yeah and that's what the registry spec does actually so unless you can tell the registry give me the exact content that was pushed plus the plus the content type and there's no API for that but if you sign the descriptor then you can guarantee that it has both the source manifest type plus the the original manifest itself because you'd be using the media type in the descriptor exactly plus the content yeah okay and can we also in the sense of getting your way to then whatever the v1 is can we also assume that this is going to be in the OCI stuff and we wouldn't be down level into the older docker manifest formats yeah definitely okay so this will also be not yeah I always try to use the carrot to get people to switch and I'd be nervous to make it like if we're going to put this in down level then why would anybody ever move OCI you know and we get a consistent format across this so in fact we should probably capture this I have a webinar that I'm supposed to be reporting on like playing video games over there oh my god record the webinar sorry I just we should capture that we want to whatever these changes it's assumed to be in the OCI 1-0 distribution spec or 1x what if we make any changes it's down level the docker manifest like 99.9 percent of the content we all have in our registries is the older docker manifest formats right and that one percent is because of us messing with stuff we want to get everything moved to the the new OCI spec on everything and by putting these capabilities only in the OCI oh are we going to make this a forcing function basically it's a carrot I'm actually suggesting it's a carrot and like this is where things are hey it's easy to we finally have enough value to make the change there's really only a handful of projects that actually need to change and the whole ecosystem just gets benefit because they'll upgrade to the latest version of docker they'll upgrade to the latest version of Kubernetes and magically everything just falls in place do we have issues with a statement yes no we kind of do because if you're saying that the descriptors the one that's going to be signed and the parent index will always be an OCI index right which means that clients are going to request with the OCI index type and another docker tool is to pay by default request to the OCI text type well that's my point yeah I mean we've got some venues they got some time to fix that I think Eric McGowan and others are just waiting for a good enough reason to switch over to a solid spec we're not at a solid spec here this will be the carrot to get but from the other side this is an adoption blocker for signing until whatever environment has that support moves to set support I mean but there's but there's other adoption blockers like us actually implementing the signing support as well so I think that I'm not sure that we would anyone we're not sure that anyone who's going to implement it is going to implement it for some platform that doesn't support yeah anything so I'm not sure it's technically going to be a not for us though for a custom for a customer let's say we all support the site support today does the customer now have to do additional work to get signing there'll be some minor work like they're going to have to upgrade to the latest assuming we get because we don't figure own the AKS and you know they're sorry case environment right well there'll be some offshoot of this that'll make the changes and prove it to the dependent it's on the latest version of whatever container D that subset group works on and in order to enable this capability in Kubernetes there'll be some set of bits that are a minimal dependency for the masses of developers that's where the other you know word Docker comes in and their latest version of Docker the desktop will have this switch at some point and it'll be a great value for people to upgrade to that and we'll be at a consistent state so the min bar of us here needs to be the min bar of this I think we'll just say is this notary v2 effort is going to have we'll be based on a certain level of the OCI spec we won't go down level Docker around the past whatever we'll refer to them as and yes but what is that specific OCI is it the OCI v1 distribution spec it might wind up being about 11 we'll see how far we can how far and fast we can get this done and how far and fast this pushes on getting v1 on to them so we did have some other content we did have some stuff around CNAP well it was CNAP but it was also a question around Providence and some other stuff so my only nervousness is there's so much built on top of this naming thing that can we close on that do we think we need more time do we need others what can we do to start building the first floor and have the basement done well I think we've identified we all want to move that's lovely portability is a thing we've identified that this whole finding the descriptor is a complete thing right we figure that one out did we ever settle on I hate to say whether the client side versus server side or cloud signing versus that that's transparent to this right where you sign things is it is not really the model right okay in notary v1 was there some other thing we wanted to make sure we didn't do or we changed that we haven't already said very conclusively this is like we like this so I remember you're talking about starting the collection so that yeah yeah how can you the two parts here one is the fact that we do not require a separate notary endpoint for the signature information it should come from the original image itself yeah so it's come from right yeah and so that way the registry becomes the way that people can get the signature as well the same model so whether so the registry is made could be a proxy to whatever yeah the scheme tech whatever I don't care just a matter but today one of us is more original points you shouldn't have to stand up as a separate notary server or yeah to get the environment running it should just be part of the distribution second and Vincent's been working on this capabilities feature a flaggy thing so that if you guys chose not I know you guys want to rush ahead and do it or whatever whatever they were but let's just say rush some other team you know cloud.com doesn't want to support this they could still be OCI 1.0 compliant but they wouldn't have this feature flaggy we would both turn on and say hey yeah we support notary so there's a way Vincent's kind of coming up with a way to define opt-in capabilities you can work with them on this on this no not really but I'm wondering if that just gets into if we define a signature it's like a a kind of artifact if that just gets into artifacts supporting the registry I think I mean Derek had some opinions about performance with this stuff which I should get him back into these meetings now if we're going to get onto those things but he was very concerned that adding another layer of indirection was not great and so he was quite keen on trying to trying to avoid that if possible and basically having um well when we've just gotten just name resolution being signed just having the signature checking for the name resolution potentially or just retrieving the signatures integrated into the name resolution process in the registry so if I have the flag enabled on the client when it's actually doing the pull of the signature flow in the squad well maybe not actually I don't think you'd expect the registry check the signature for you but you would expect you to retrieve it yeah and deliver it deliver it deliver it check it there at the same time so that you could then you could then validate without having to have an extra roundtrip to fetch the signature as a separate artifact and then so you didn't add an extra roundtrip flow into it and and various customers have different signing tech for different stages the pipelines too right same image and stage gets signed differently from the same image and prod which has to go to some other key management tech yeah they will that was part of the multiple key area with I want things that are signed by Microsoft and signed by me Oracle oh sorry yeah right but me me me but yeah so you might want to retrieve all the signatures at the same time for example rather than having to do a separate roundtrip for each signature or have a signature manifest list type of thing that then retrieve them well I mean so basically so yeah Derek was quite keen on optimizing the actual in registry flow for that purpose which I think is kind of reasonable but just to bubble back up but it is a kind of a optimization detail design that changed some of the conversations we're having it doesn't change the design at all right actually it's still the same as if it was an independent signature just sitting it's just a question of the API for retrieving it so do we think so again we can go either way either the name is part of it the name is not part of it can we decide now or do we need to defer I just would like us to start moving on to another topic and either we have to move on another topic and table this or do we think we can close on how we want to suggest the naming of those well there was seen that from that came well let's not say I would like to get on to another topic that's why I'm asking can we close this one out and the last week with any open items that we wanted to make sure we do this there was nothing from the scenarios there was some feedback on the scenarios and so forth but I think honestly I think a lot of the stuff was captured in the scenarios just in capital and it added a bunch that I want to I was talking to him offline about how to merge that content in yeah the threat threat model the threat model as you threat model and he had some great scenarios that at least Sam and I were giving him some feedback on 1.3 but literally there was like a 7, 8 and 9 there was some great top level scenarios yeah I mean if we could try and merge those for a review next week given that Justin's not none of that team's here this week it'd be great if we could get them yeah those things merged in so we can discuss them next week okay I can take care of that I was I was letting I was thinking he wanted an immersion so he it comes with his name and everything and he was suggesting like don't worry about it there's either some get a feature which I don't think we'll work on the path we're taking or I'll just merge it so there's some feedback on scenarios that has to get merged yep so the next week we can actually discuss it as a group perfect so okay we don't have to do that right this minute no perfect I think we need to write this down in terms of in the notes well I mean just as a description of what the implications this are what the what it implies for the UX what it implies for everything so I think this is in effect a way to sign move and not have the signature be invalidated please this is a mechanism this is a mechanism to have signatures that have some sort of claim about the content of the image and allow the image to be removed correct without invalidating the signature right while the tag can change yeah I think the the biggest thing I've seen between these two is if we want to be able to change the tag and the artifact name the repo and tag and have if we want to be able to change these two elements we need another way to have a way to specify what this name was if we think that the tag the repo and tag can be locked as part of the signature do we still think we need the other thing as long as we have the the key that says it came from I'm getting confused that's all right what are you yeah you're specifying the fully qualified name so I'm not I'm never specified the fully qualified name I'm always saying the repo and tag the last two elements no no that thing that means the fully qualified name that Justin is a fully is it was a short form for a fully qualified name yes that's slightly misleading I thought there was a whole point as we were not fully qualified names yeah we're signing a fully qualified name we're signing com dot dot dot Justin yes that is a default mechanism of discovery for Docker but for all other registries we will specify the fully qualified name we might have roles for different registries as well or something I mean that's bit but fundamentally you're signing a fully qualified name or not putting it into the poll tag the poll it may or may not be the same we might an option we might have some way of deducing it we might but yeah that's why we should write this down for the I read it yeah we're close to the metal on anything it's close I think we're closest here we should tie it off although I thought the proposal of the the discovery of the future of the tag we thought was suitable for giving it its birth name right or its birth place the thing that we cared about most into provides everybody is the birth place of this well I think often often I think we can use the birth place as but not always so the example with MCR which is definitely not the it doesn't birth things so it can't but but it's the source of things and there are probably other cases like if you're going to have a flat name space across Amazon registries then you probably want the flat name to be the default not the specific region that you pushed it to for example if you're going to be from having a so it's just a generic name not a region because you've got one you need I thought there was some well there is but but the so globally well globally it's a it's com.doc or whatever but there are you might want a UX for defaulting it to be that's saying so you don't always have to type it if it's like if it's a common case or a config for setting a set of matching rules if your organization has particular rules just to simplify it life and we may want to find that in not necessarily in the runtime but in like an orchestrator or a higher level tool that built on top of the runtime as well yeah and we may just I mean we may want to have yeah a library that you can use that redempt this resolution for example you can stick everywhere and it's consistent between everywhere but let's write up yeah let's write this down to that one scheme I'm writing the image down I'll see it in order to be able to support this and then we can go figure out how to which one is this necessarily also I didn't catch the part that did also address the tagging element too right so in your in your response right now you conjoined tagging I wasn't yeah what what are you feeling that it was a tagging this this was inclusive of tagging or not yet where are you that you seem more opinionated than I've been able to usually swing either way on the the repo tag being changeable where you yeah this is just a name you sign doesn't imply anything about what is like the the problem that we face as registry operators is customers are always asked us for tag locking every registrator every registry implements it slightly differently I didn't customers want that's not a not a signing issue not a signing it's just not a sign that's an overlying scenario you are I don't think so I think that what Justin's trying to say is that there is a name and that is the name that is signed and that is distinct from the location including the tag which I agree with and and how does it if you want to you are you specifically wanted you are asking we get something to ask if you're not just passionate about anymore it's not an issue at work you are very sort of you wanted to be able to in the poll command say have been to 1804 nice I have to because there there might be an image that is called multiple things so take windows for example you have a windows container image and you have one that's called latest or maybe you've gotten rid of it at this point but you have you have one that is but it was an 1804 you have an 1804 1804 right and then you might have a bill revision of that and there's actually the same image yes and customers can reference it either way correct and the signature has to be valid for both and the signature would be valid and it has to be the same signature and when they are the same they would be the same but when a new bill comes out the stable tag will we we have the same signature as the new one what so the tag needs to not be the same thing as the signed content a value of a tag if it's referencing exactly the same stuff human readable amongst my other things we do this for like the amazon linux container images great so we have an amazon linux latest we have amazon linux too and those are currently the same thing then there's also a revision of amazon linux too that is a specific point release of that and those are all the same thing and at some point the latest and the two images move forward but the point release stays the same so you can pin yourself to an older release of the same thing if you want but you also have the flexibility to say just keep me sort of on the current thing whenever i'm released which have a granularity you're right yeah yeah yeah that's the part that i'm i'm i'm mapping myself my guys don't glimpse to the current i could map it to the current okay but so we haven't supported that in this case yeah so multi-naming is the problem so we haven't supported multi-naming because this way we put that the assumption was we put that name that we created inside the i mean i think inside the image and not inside the signature i think you can and i think change the formal meaning by like well i'm certainly going to do this this way and then i changed you have to change something like that so and then it can keep that except sorry so well you don't re-sign the whole thing why shouldn't you re-sign the whole thing you should because it's fundamentally mean different things to you right they need me i'm so an excuse case right or what's the draw back to re-signing well you question me five questions yeah yeah i'm gonna i'm gonna take one of this time um um no sorry you're right in the example that i had it was sort of confusing because i was using the same saying for both what you could do is you could just have the name there that's different and then when you're pulling you just specify the thing that you care about notice that this tag hasn't changed right this is the same one or i could change so okay sorry sorry so you were saying so you always specify the name you want to chat you specify the name you want to check the most specific thing yes but that means that if you want to upgrade from version 3.2.1 to 3.2.2 you have to change that you could also and i don't know if this is the right thing maybe you could have a validator prefix as the thing that you're expecting here or you could go farther and say i want to take in like a regular expression and anything that's had to size that regular expression you need to validate so the the thing that's in the image is going to be the most specific name but what you're trying to validate against when you pull you might be able to define you need to write that an expression that means whatever you meant that to be able to do I'm expecting to be here when this is because we're building the name into the image yeah yeah but if you put it into the signing metadata as a claim then you can have multiple claims yeah which goes back to being more like the get signing model where you can sign tags and there's and the name of the tag is it's part of I actually you sign I'd always thought that was the model but now I realize the disconnection because unless you move the the name into the sign the signature information you you get you get bundled in with one name as an option but you can have a set of aliases or for each tag if needed if you want to solve the multi-name or you have a signature per tag which is the other way around so one tag would only have one okay both models are they have their pros and cons I don't know okay you know look at that animated get I don't know why it's got the little tails to it I'm not sure if that's a resolution it's kind of hypnotic I'm I'm I'm I know it's going to scrolled off the top but it was it kind of helps visualize the anyway I think we can come back this is not a like solution right this is a discussion point yeah so but the idea is to use the canonical name of some sort that's already in the OCX spec whatever is existing to define the image and sign against that so the location can move but it will be signed in points to that kind of thing that basically what that is okay sorry and then with respect to tagging I could tag it and it'd be different and it won't matter like I could tag it prod my prod my favorite my least favorite and it all maps to the canonical name signatures are the same yes so naming if you're going to support multiple taggings on the signature that leads back to this discussion of whether the signature should know what are the possible set of canonical names that it can be referenced as for example bionic or to 1604 kind of the same but you need to be able to know which one is it so does does it mean that the signature will have multiple canonical names in it is probably an open question that's what I'm understanding I think my inclination signature would have one canonical name in your validation logic for validating the signature should account for whatever you think are the valid set of names right so if I accept if I accept you can so any version of a bobon too then I know that it's that the canonical name is going to be a bobon too and the details after it might be so there is a convention that the canonical name varies only from one set otherwise people are on one side or something like that they go out of from a I don't think it's not really a convention I think that I'm just saying that it's up to the validator to decide which names it considers valid for an image okay I understand an open question well no from a signing perspective from a crypto perspective what does the customer want to do they want to sign it doesn't preclude that right a customer can actually say I'm going to sign that canonical name with that version and tag and that's all that ever this key is only going to trust that period this key and you go off and try and verify a different version over the different tags we should be able to say that's not allowed and that's a security policy that customers will have thank you great think that might be going a little too far on what the key itself would do the key essentially ties to a signer right and what the signer is signing with it really depends on what what claims they decide to put in right um they can decide to put in canonical names or decide not to put in canonical names there's no need we do have to start specifying the types of claims people can put in if we go with something like you can put in any one of the OCA annotations you could take any set of those annotations right like it really depends on what the signer chooses to sign so other claims that are being signed the set of OCA annotations is whatever OCA specifies can go into the entire description that literally there's no spec at this point yeah I mean the question so originally when we were talking we were thinking we could sign the manifest which would have OCA annotations in but if we want to move that to the so the signature and what you're actually signing then it's not too much to make a spec for that and we could just use OCA annotations or we could put it on nice by scent one of the suggestions that I had in the the pull request that was like the different ways that we could structure things was you could specify basically everything as an entry as a descriptor in the list of manifests in the index and so you could have a descriptor that points to a signature and then also points to the components that made up that were like inputs into calculating the signature one of which could be the manifest and another one could have been a claim that is made on the manifest think that's like a couple levels in direction pointing there does that make any sense no it didn't can you say it again and you just want to give them the a preview of that yeah that's probably easiest sorry yeah yeah let's copy you have an index in the index is the list of the manifest it's just the name of the list and each of the things in here is the descriptor A all of the descriptor is a point to the manifest and they're that they have a content type but the negatite that snaps to that manifest and then it points over into some other object right which is the manifest object over there so another way that you could do this you could have a signature on here this is its own descriptor and points into its own the object or its own just point content of light you could say the signature has input included this descriptor and included like a claim so when you're calculating a signature you could like append the descriptor for the the manifest and the descriptor for the claim together and then you have a signature of both of them and when you're validating it you can know that you want to validate the signature over both of these things does that make more sense then then okay what does that make more sense does that make more sense clean I mean right now arbitrary right so don't we could define what that is we could just go to standard claim schema which has a specification already you don't have to invent it where's the claim it's the JSON claim schema okay what are you using for border claims jobs and things like that it's I think it's pretty commonly used but that's that's just about how the claims need to be it's just a key value pair in some form that's the rough thing but the other thing is another like a a minor possibility in this is that the index can technically just be two which two manifests which is one is the descriptor of the original image and the second one is a signature if needed and the signature because right now my understanding is that the registry cannot point to random layers in the manifest it has to be a manifest itself has to be a manifest list cannot be a layer in it I might be I might be on it so in the in the original proposal the signature can point to a random block but a manifest list can only point to manifest right right well we have been discussing a config object in index as well which in theory could so instead if even if we get the signature and it was a manifest of a signature artifact type with an accessible model of any content you want to put it can have canonical names it can have separate set of claims in the config object in the signature then it's possibly I mean that's also one model where you don't have to kind of like explore the original manifest also and as a client they can follow through here and I see the descriptor I don't have signature validation capability just go and pull the image itself but if I have signature validation capability then I go and pull the signature out and then my signature validation that is an interaction model and then they can enforce that I would only pull this image if it passes the signature validation say and that consistent with what you're thinking Derek was your perfect conversation is this a slower than it's okay yeah I mean I think that that's that's just about optimization all right wait where are we at I was I was cheating and reading ahead of the CNAP thing but where are we at um did we capture I wrote that I wrote down what that's also roughly within the forward quest that I had open that's fair yeah I wasn't as worried about that because honestly that was I think that that's why I'm trying to get a couple of these other things figured out because I think the conversations and decisions around which one of those we choose falls out of the previous conversation of what we're naming and what we're annotating can we agree that the tax is binding to the index of this one we didn't get that far I don't know I don't know if there's another option but we didn't get that we didn't explicitly say that yet okay because I think that that really does get into the deeper conversation with Sam was capturing from all the various people around where is the signature how do you refer to it because we can't change the manifest with the signature that we're signing you know the chicken egg thing we do need to put things in an index so it logically makes sense is your concern there for clients that don't know how to read image in this no it's more kind of like leading towards tag immutability so the point is that if you try to push an image with let's say my app v1 then you try to sign it you you potentially want the signed you want to that tag to point to the signed digest so immutable tags won't kind of work there but if the client makes it possible that I can push the digest and then I can finally push the tag as a signed tag then it's fine so it's more about the clients that need to enable that thing the tag immutability just breaks when if you try to push it and then you try to resign it yeah I mean it's also not a spec feature though so yeah yeah but that's why I want to kind of like it's just easy off the the details okay so one thing is we've got to do some homework before the next Monday meeting once the scenario is emergent so we understand it so we can comment on that a lot better I think we've kind of agreed on a few things do we want to shift to the CNABs thing that was sent in there's one thing that I guess we've kind of implied that which is a difference from stuff because actually some of this isn't that different from stuff here it's about we don't think we've got any kind of use case for snapshot files I collections of stuff at the same time what's the use collection of stuff what's the use side of connection use side of the whole which by sure you are pending all the tax so if from now you change the tax you have to start a construction again oh this is allowing tax to move this need allow it that's the change the tax change yeah tough wouldn't allow that because tough makes those signature over the collection of things that are there you'd have to regenerate the signature every time you change it right and that's sorry could you clarify sorry I don't fully get this it was true yeah the so-called notary v one every time a collection of images change you have to resize the the snaps out this the what that called the collection of all the images yep so we haven't specified things like like that in notary v two yet oh okay I think I see there's ways to automate it most of the time you can push signing the timestamp a snapshot like docker or the registry can do it transparent for you for all of the images instead of the way we're doing today which is a different timestamp snapshot for every image this helps the question for me is I don't know if I understand the use case for those snapshot files in the context of what a like how people use container industries for images oh I see that's interesting yeah it's designed actually originally for dependencies between packages like let's say on debian right if installing a package you're usually putting in dependencies we don't have any images sorry we don't have dependencies in in any useful sense like that yeah yeah I see that's interesting I don't know whether there's other artifacts in there that might want to list dependencies but that's a whole different topic I guess so basically this is the the problem I mean the issue with collections was we discussed the permission model for this one I just a set of images and I get a set of set of digest that digest set should never change that was the whole idea of permission sets right you have immutable collection so forth snapshot guarantees that that collection has not been changed I would like to hear a use case for that first I don't see a scenario for that it's a it's a it's a it's a valid topic you mean in the container yeah learn yeah it is valid from a security standpoint but I don't see a customer wanting to use that yet if you did registry replication then I want to move an entire repository which means I saw snapshots and these are the digest and these are the signatures and I move everything over that is a valid use case but are we targeting that if so where does collection snapshots even apply is something that I'm not well follow sure justice point is is this is explicitly not targeting that this is yeah right image and are we cool with that and as of now both Sam and you were saying I can't see a reason why we're not cool okay we seem to pull that yeah I the way that people use registry is typically that like each each image in the registry is basically independent and often people don't ever delete anything from registry so it's just a ever accumulating thing of everything you've ever built financially um and so there is there's no sense in which there used together at all so who would provide a counterpoint to the statement Trishank I think this is something that I don't think that we can decide in the next 40 minutes this is something that we should yeah I I just I want to raise it because it came up implicitly earlier I wanted to make it explicit that um that we've that we haven't come up with a use case for collections and we've come up with models that make them potentially harder to implement is there any yeah I see what you're saying it's a it's a valid concern I think we should write this down and think about it it's definitely something to think about as a quick note I just took a look at the other things that are included in snapshot and I think the only thing that isn't just a list of all the files is including the version numbers of each of the files to make sure that you know to prevent like a rollback attack or something like that that would be my only concern getting rid of it entirely but yeah there's that just realized there's another thing we did design for docker um Justin mentioned a registry for china so one of the things we designed especially for docker was a way to allow hosting images and let's say another country and you may want to trust some signing keys to them but not everything necessarily and so having the snapshot actually buys you security they cannot switch the images but we can talk about this that's probably the highest security use case I can think of right now I can I can add that to the document so I just wrote a note saying diverging from tough and we can put a thing from that because you want somebody scanning those to go oh oh oh I want to read that part I would add a piece of them it's the possible mirroring scenario yeah such as dockerhub in china just as a nothing more than a tickler for our memories is that is that accurate Justin I mean yeah that potentially could be I mean um cases where it does matter from that that could be one that could be the only you could be the case that you don't want someone to mirror it and to a another country but without these images but there's not doesn't but but because of the way we tend to refer to container is we already know what image names are there and we don't have any support for really doing semva or upgrades other than doing that I'm not sure or that it really fits with a real threat model I would say but I think we would we need to look at it and see what from a threat model perspective mirroring should do its own set of threat models right like the collection itself the set of vulnerabilities in images that go I don't see toughness solving mirroring as a use case by itself because there's more to it than just the signature the entire collection as a time stamp of things like that but it's also the set of use cases around mirroring and the set of properties around mirroring and a set of none of which is supported by Nature v1 okay because mirroring wasn't really a thing but they do exist in the there's a whole section on mirroring config in the top spec okay so so then I'm wrong so you've explicitly called that out good so it's explicitly in the notes and then the notes yeah do we want to do a read of the CNAP doc that was also on the agenda so we don't forget that yep just capturing can so I wrote to take on for the to do is to catch up on the scenarios including Justin Kappos can you take on writing up the naming conversation like what the options are and what what are the next steps yeah and I put whatever you let's run up in the notes already okay all right so we are taking 10 minutes and reading the CNAP doc that was listed up in the beginning of today's meeting notes there the notary V2 and CNAP I feel like I'm in AWS school why why is that because I'm reading I mean I'm not stuck in PowerPoint we've we've we've we've tried so many eczemas and people is becoming second lecture okay okay we'll try we'll try quiet raise yeah Radu would you would you like to kick this off introducing this yeah sure now we're gonna read it we're actually reading yeah I would say we're explicitly not doing the Microsoft PowerPoint conversation we're gonna read first and then discuss well well you'll you'll get your opportunity let's just read catch okay so should we come back in 10 minutes or so sorry what was that are we reconvening in five 10 minutes or yes we are reading the CNAP notary V2 doc that was shared earlier we just just give us 10 minutes to read that okay so so I guess we'll be back in 10 minutes it's like a 10 minute breaks on like a good idea for everyone yeah yeah but over here we're doing the reading so no brain all right sounds good thanks guys a couple of partner BD guys oddly our org has partner BD under the partner group your partner BD of the service team group so it actually gives us you will ability to reach out to one or the other and I think it means value goes far into me because SouthTac and another that's worth with they do a lot of a partner reach out which is really great right yeah when we're shipping a feature 90% well not 90% but a good number of times our customers are absorbing that feature through a partner's higher level service right super nice super nice Sajay did you want an OCI sticker it's going on huh you want it I think I should I mean you've been working on this for so long you want the stickers no I feel like the only sticker I should have on my laptop right now DCR but I should also have an OCI sticker because that just you have easier stickers huh do you have easier stickers yeah and guess what at the last coupon they were the first ones to run out and a reinvent of the first ones to run out because most people don't get them and they're like wait what's that weird looking thing but I haven't seen what my laptop means I don't know what it means but I'll take it we do see I have that I have that one Sam see you have that one mm-hmm all right we're waiting for so those on the bridge we're waiting for Steve and Aaron to wander back in the room and then we'll get started on this okay sounds good how long are you here Justin you leaving tonight no I know I'm I'm I'm around Tamara Redmond yep the other side of the lake like up the other side of the lake yes yeah both Bob and Deepak wondered and they're like wait that some of the people who are familiar Aaron they were here we have everybody in the room so the CNAB who was wanting to give a five-minute quick on this stuff the great Radu Radu Flores yours Radu thanks a lot so for the purpose of this conversation you can think at CNAB as simply a package a map just to distribute applications built from multiple components right so specifically it's a metadata file together with a list of OCI artifacts right the bundle definition which is the metadata part describes parameters credentials other types of metadata about the application together with a list of OCI artifacts that are used in the application and because we have a list of artifacts we represent a bundle in OCI registry right now as an OCI index so we we use for now annotations to define the fact that our index is representing in fact the CNAB bundle and the and represent the list of artifacts as individual manifests in the manifest list portion of the that's how we're distributing bundles using OCI and because we're using the same model as as we're distributing container images we reuse most of the Docker content trust model for artifact sign so if you scroll down a bit yeah we're using Notary V1 right now and I said very closely related to the Docker content trust model to sign individual bundles and we actually signed the content digest of the bundle metadata file and we distribute that to Notary and then push the actual artifacts to container registries and construct the OCI index that represents the entire bundle now that is one way of representing the CNAB bundle artifact the other way is as what we call a thick bundle which is an OCI layout export of all artifacts together with again some metadata files so this this is where we get we get in the actual requirements that people have asked from from our project first of all we want to distribute bundles and artifacts in air gap environments and we want to persist signatures a signature has to continue to be valid even after it's been moved into an air gap environment and specifically has to be valid in in the case when the customer does not have access to the original registry where the signature was pushed and this is the bit where we don't really have a way to satisfy right now so as long as long as you have access to the original notary trust server where the signature was pushed you can validate the signature but if you don't want to use that you cannot really validate the original signature you have to resign after you've crossed the trust boundary any questions comments so far I I have some questions so as a spec CNAB is not a CNCF thing it's just it's a spec that groups got together and said here we go that's the Linux foundation project under JDF sorry that's the Linux foundation project under JDF okay okay so and ACR supports this well they follow the artifacts model so the fact that they can change media types so yes I think because ACR supports multiple media types you can play with it and the CNAB bundle is a different media type point there yes and no they have one gap which we've all identified that the way artifacts represent uniqueness is the config media type config objects don't exist on index we've all discussed we want to add it okay we haven't done it yet because we're trying to get the base one done and then we'll come back and do index as well but there's general consensus it's a good thing so that's why they ready was mentioned he's annotations today I see technically any registry that supports OCI indexes can accept CNAB artifacts OCI index is you're the work you have in flight yeah but no it doesn't need multiple media types though or does it no it's just the index work okay right am I speaking right Sam I missed something do you guys don't support is there work are you doing to support index yes to support manifest support index yeah well manifest listed not yet correct it's in progress right I was trying to get to CNAB as a thing that this is something so does notary v2 have to make sure that we we hit these limitations that we solve these limitations from notary v1 I mean and are we doing it because they're good things or we're doing it just for CNAB I don't know I love a question these limitations and the requirements are pretty generic yeah these apply to everything yeah I mean I think there's some I'd have some questions around the wording if some of them but fundamentally there's fundamentally these are all the issues that we've been what questions do you have around the wording I think that there's some assumptions in the if you scroll up to the requirements in four and five there's assumptions about how keys map to registries that we have not made any that probably arguably we've changed we've already made different we've potentially made different decisions about such as being able to pin the route of trust for a registry is not a requirement that we have actually agreed that we want to do at all as a thing we've talked about route of trust for particular artifact for a publisher or publish it or and potentially that registries might sign for some subset of their users I think in general we're not we're not expecting that a registry per se is the route of trust object ready can you explain why that requirement is there if a company could claim their route of trust and the registries are just temporary storage locations is there a challenge there that was an issue that popped up in the community from people who have um different entities contributing bundles that they want to use just like the example you had earlier right with an an artifact attributed by Oracle and one by Docker right where we're like yet the initial bootstrapping for my keys for my trust and I think Tishon do you have any for background on that item oh yeah sure so yeah what some people in the CNI community want to see is that so for example they need to be able to support the use case where you have a registry that hosts all these bundles and they may wish to use reuse basically a single route of trust right for the entire repo which is not there with no 3v1 right now it's a different potentially different route of trust for every bundle repo so one signing model we'd like to support to simplify key management for developers to say okay look don't worry about the route don't worry about the timestamp don't worry about a snapshot we the registry have got it all you got to do is to sign your bundle targets metadata right the hashes via bundles and we'll take care of the rest we'll distribute your public keys for you so that people know to verify your bundles so they also want to be able to use different registries containing different bundles right let's say Oracle has its own repository Docker has its own repository and you might have a completely a private repository that's accessible only in your own network but you want to reuse to say mechanism just like somehow say okay look I'm the end user I want to be able to specify the root key for each one for each bundle repo registry basically and I also want to control exactly which which registries I trust for which bundles does this roughly make sense to everyone well it roughly makes sense but it's just not a it's a use case that we more or less specifically decided that we were unlikely to want to support because registries are such large collections of miscellaneous stuff that a single root of trust for a registry doesn't make much sense for all the use case the use cases we just gassed for at least for large scale registries potentially it might make sense for an organizational registry where you're running something just for your organization and this actually ties into a for another discussion that has been raised here quite a bit as an organization I want to quote unquote bless some components that I put into my own registries whose signatures I want to preserve whose original signatures I want to preserve which ties into the first requirement which is I want to persist a bundle signal of an artifact signature when moving from one registry to another which I think I think if we if we provide that to end organizations I think we can work around this sort of requirement that I wouldn't focus on it all that much okay yeah I think we're trying to like we definitely want to be able to support Roots of Trust that somebody can support it just it's tying it to a specific registry is the concern because we're actually trying to do the opposite we're trying to make sure things can move now it's not to say that somebody couldn't have a policy that their host only accepts from even a firewall rule images that come from a particular DNS or even a particular registry so there's other ways to approach it we're just trying to say that the signature isn't like a registry is just a temporary storage location and temporary storage location for anything like the fact that something's in this registry A versus registry B doesn't really matter it's the thing is the thing the artifact is signed by an entity and that's what's really important where I happen to pull it from isn't really as like from a after a registry pull isn't really important yeah I should I should make it clear that we're not asking that this is like the required like default use case on on notary we do we're just saying it'd be great if an organization could use notary we do and reuse a single route right for for its own registry I think what you're hearing us is there's a single route that's tied to a registry as opposed to the registry is the single route yeah like because we do that then you can't move the artifact to another repo another registry and have the signature be maintained yeah he's just saying let's explicitly block that I guess that's what I'm trying to understand are you asking that you want you literally want the signature to be tied to a registry and pass no no I think there's a misunderstanding what I'm trying to say is that I agree with the requirement that the signature for an image or a bundle should be an independent registry I agree what I'm trying to talk about is the key distribution mechanism you don't necessarily need to have a different route of trust for all the it's a key management kind of thing I guess I should do a better job we should no certainly we have a requirement that there isn't a a separate key for each repo as naturally as now that's a totally agreed thing oh yeah I think we're in the same page but we've also agreed that we are not going to have a single key for each registry as well because that's too restrictive in the opposite I mean it's nice in that it means fewer keys but it's not the way that people that we're that people use registries so timely moving the key from being at the repo level to the registry level does indeed involve few keys but it's also we don't think is the answer I see what you're saying let me clarify following up on Steve's comment earlier which is that this is a host level policy I should admit that here there's not a server registry side thing this is end users being able to say well if I wanted to do this I should be able to do it with the default assumption being that you know you have a single registry and a single root of trust but if you wanted to customize on your side you should be able to and there are three yeah yeah no no but no because we're not I don't think we're going to I don't think most registries are going to provide a single root of trust that's what I don't know it's not sure that it's realistic but when we say root of trust that means a single root public key that you can chain every signature for every image in a registry from so if I hack that won't I get the whole thing yeah but the assumption is that you're going to keep this key very safe right that's not going to do the actual what we call in tough delegation so so imagine a docker IO had a single root of trust so one alternative is to say okay docker is like well I don't know I'm not signing for dockers I mean sorry oracles images but I will give you oracles keys and if you trust me docker that's all you need to trust oracles keys somebody else's keys yeah does it make sense we haven't gotten into key distribution yet yeah like that's just not a topic we've covered yet right I think we've kind of implicitly have every now and again but yeah yeah we've been a whole time so we haven't gotten into the details of it and yeah I think there's a lot of implications that we're going to have to work through and figure out how we feel about different approaches there yeah yeah we don't know of course sorry go ahead it's not best either I would much better discuss other items in this document right right yeah this is not the biggest thing that we right sorry that was basically what identifying as the thing that's not already in Skype right but there's a couple things we have in there it's like yeah it's a copy and paste you know essentially a copy and paste from the same thing we have in another area so we're just trying to identify the unique things if we're not covering something two things that I would bring up in this conversation first of all is CNAP has a definition of provenance and attestation and we plan on using to use Intodo for that the custom top collection section to distribute top to distribute Intodo metadata and what I'll ask Tushan to chat through is how we actually use delegations to define the Intodo root layout key and if there's anything specific that we need to ask from P2 yeah so we need Notary V2 to be able to support I think the technical capability is really there it's not just directly exposed to the end user to the developer I mean which I think is the only thing but we need a way for Tuff to say or Notary V2 I should say to say look here I want to split the keys I want to give some insensitive not so security critical signing keys to machines I will let them sign some bundles for me for example but I want developers to sign some other more security critical information using their own offline keys right or keys that they have that that machines don't have access to so I need to be able to support this rich model so that we can sneak in Intodo metadata on top of Tuff which is already transparently doable with Notary V1 by the way Rata's written a code to do it what we don't have the ability right now is that basically right now we're kind of force to trust the machine to sign everything which we don't want it to so for example the Intodo root layout metadata which is basically you can think of it as this is this is the rules for my build pipeline okay developer sign this things machine signs this thing maybe the machine is allowed the package but the machine is not trusted to produce source code for example and so this rules you want it to be mutable which means that you want it to be signed with offline keys so long story short we just need a way for Notary V2 to support a richer way to split keys and that's what we mean by delegation yeah we just support it in the top preference implementation and some other tough implementation itself exactly the second big thing that we before you go to the second big one you think we need to digest that one we what do you what are the what's the actual requirement technically as opposed to at a high level sorry because it would none of us read the link that's a use yeah we only read the document we didn't read the link documents got it um technically and very specifically it would be great for Notary if it's going to support tough metadata to to support the whole richness of the key basically we we need to be able to support tough 1.0 style delegations that's it and I can point you to the part in the specification where it talks about all that delegation okay so no need to should be able to support the tough 1.0 delegation thing we're moving the signatures into the registry this is just metadata on the signature itself why does what do we need to even worry about what is in the signature because in total extensibility will be on top of the signature itself I'm just trying to understand where does this is there a requirement on that I'm saying like yeah is there something that no read needs to do well it's almost like yeah okay sorry sorry yes so in total we'll do its own thing from a no three we do from a breeze like it doesn't care right we can sneak in in total metadata in there that's perfectly fine we can already do this what I'm trying to say is that we need a way to split so right now if you put all of the in total metadata in one place the problem is there's no way to say well machines get to sign some things with different keys and humans get to sign some more security so for example the sum in total metadata you never want to sign using a machine right it just breaks in total security there's no point to using it because there's some higher level information you you you basically want it fixed and that's the part by delegations what I mean is you're saying okay look if you're looking for some sensitive information go to this humans who will sign this information with their offline keys if you're looking for the rest of the security not so critical stuff here's the machines keys for the machines and go ask them about it you want to split the trust okay so given we have two minutes left before five I think right and I don't know how many of us can stay beyond or whatever is there something already written up in the notary github that they can go and comment on put something and say look explicitly allow us to do this or explicitly don't block us to do this because we're already using this capability and artifacts for the best thing we'll just be open and the Trishank and to open an issue in the notary requirements repo and you know he is explicit in this scenario and what you're trying to accomplish and and where you're where you're concerned that we're not supporting it because I can't tell from what Saad you're saying is that something goes on top of what we're doing or we're signing something that you've already put in it like I don't know whether it's outside wrapper or an inside contact well he's definitely saying that notary veal one doesn't let them do something today that they absolutely have to be able to do which is yes with signing that bundle right I just don't know what that means in terms of a notary veal two requirement I think it's so far what I'm trying to say is like we've seen this with singularity and they've been David wrote up some stuff there and I think it was seen that was one of the examples I was thinking of is we assume other people are doing signing on their artifacts already right we're not going to make them change like whatever works to them works great yeah when you're working with registries as you're moving content we can give you another envelope on it that says hey by the way this thing is fine the fact that the thing inside of the sign too great we're not like yeah and still work what I can't tell is that that's what we're referring to like hey notary veal two no is that to sign something or there is another no I think what he's referring to is when notary veal two quote unquote replaces v one let's make sure it lets us do this signing split thing which notary veal one doesn't let us do and that would be great and so but specifically what that means for us hey I haven't internalized the doc as well as the links and like you know but you have so yeah I think it's a larger topic conversation about like how we delegate keys how keys are assigned how keys are managed in the pks and tying it into notary veal two I don't know if we've debated whether that's something we want to have been out of the band of like the whole well I know that the key management management has to start yeah usability of key management is in is in and therefore key management has to be in yes but there might be a bunch of thing additional things you can do that are not prohibited but we have to have some minimal use case that we deal with the usability issues correct and that's probably the biggest part in my mind about the next steps as well is just making sure we start tackling that you know the key management yeah I that's going to be hairy and not to drop like forget about the scenario here which is everybody's talking about multiple splitting the the keys themselves splitting the signature information which kind of goes back to Sam's proposal of multiple signatures inside the artifact and I think the power or is it no no oh yeah no it's a different thing sorry can I help to clarify and see if we're on the same page yep so you want two different things one is you don't want to use so let's let's just say that's one key to sign everything okay you don't want that one key to sign all of the same information so what you want to do is that you want to use two different keys it's signs for information a key one and key two signs for information b okay this is what we mean by the allegations that's the simplest version of it and then the other thing you want is that whoa hold on information a is much much more information more important than information b like a single key cannot be responsible so we want something we call threshold signatures where you know you have the two man rule basically m out of n signatures do we agree go ahead I I think you I'm not sure if we're at the end of the day and our brains are fried but I I think you know that these are these are not for keys that kind of keep rotating and have much higher velocity that's what I get to not re-support this already okay yeah and sorry let me try to simplify that again and I guess we should get going soon unfortunately is that sometimes you want multiple keys to sign for some type of information right and then some other types some other times what do you want to say is that I don't want one or even a group of keys to sign for everything I want to split it between different people and different machines essentially you want to have n number of keys that can be used by n number of users to claim things that they specifically can and at the end you're going to look at who signed what to make a decision on whether you want to cross this thing or not based on some threshold right yep so that's one part of it yeah it's essentially kind of like how do you enable these n number of users to get the keys what where do they change from and what do they what does that actually mean like we've talked about a lot from the organization level like we trust Microsoft but is every developer in Microsoft like you know how they how do like are we going to go down at the level of that that's a different use case from looking at things that are done by individual developers and that's where I think like the PKI challenge comes in is that how do we define that that PKI and how does that scope come in sort of like how individuals would get keys and PKI in all of this discussion falls squarely on the key management and how notary veto has to deal with that right and when we let's kick off who what did we say was the working rule for that one I mean then that's I mean that's specifically why we've got it in in your assistant without that right because sure as heck ain't me to be that so we'll get to that I'm not you know there's we there's new people coming in and we'll fix it correct so this discussion that the CNM and this doc is raising is in the context of that okay point I can make sure that that's something we have to tackle anyway I'm just trying to understand how what this actually means but that's also not something we saw right this morning you can definitely cool if you under requirements repo and I think that would be great because then it's it's lost as we are and something we'll have to go back to and make sure we don't forget when you open an issue and put some stuff in there then we can comment to the read and ask questions and clarify yeah we'll do for what it's worth there's a top spec section that describes exactly what Trishank and I are trying to okay now make sure to link that okay so next steps then five of five one step you already said you you need to do some merging of some Justin Capo's comments scenario Sam said he'll take a quick look at putting some of that stuff which we put notes in there I have a little thing in my own head that I think we need to do we've got a month before we get to KubeCon EU min bar what do we want to accomplish by then we have two sessions what is what's the historic then history has been on when you do these sessions is it like people coming to get the ah ha see the vision versus that's the first session the first session is just explain what it's about that's the first session the second session is basically working working session on what every way we want to result at that point okay when you say working session is it this room with 500 people in it what is that I don't know what you mean by working when you're on the docket to talk about it we're just the next three are out working session literally means we can go through the problems that we have outstanding and talk about what we need to resolve them so we've got you know we it's it's designed for working session that's been it's designed it's more of a conversation it's pitch for develop for people who are working on the project not people of general interest okay so we could leverage that right and it's basically some cat herding that'll occur and we'll talk around and remediate and get these are the top problems we absolutely want input on let's get going and that's the second session how long is that an hour 14 minutes I think but then it can probably run over okay because there's not going to be a buffer today in between sessions okay so what I'm working with maybe together Monday afternoon a full blown something like this for people that are there and have a room with a projector and we're just trying to work through logistics so let's start with you Sam what would you like to see accomplished within the next month to get to Cook on you just because that's a line in the sand we are I know you're not there yes I'm very gone quietly in a portion of time before then fair enough no just as a contributor to this thing what would be cool to have done by then I'd like us to have agreed on the scope of what we think is for OCI all of the things about like what are we signing and like what does the signature mean and resolving questions around name and things like that I'd like us to have a clear idea of what our what our goals and our non-goals are for that I think I know that's not very ambitious I doubt it sounds pretty pretty fine okay I'm yeah I think that and I'm kind of I think we should have an idea about how modular we're going to be able to make this i.e. what we're going to be able to offer as a kind of minimum entry point versus how we're going to give people more advanced use cases because so what exactly what exactly is our kind of minimum base user experience you get and what the kind of route whereby you add more complex pieces okay I think there's so many different things that come up in the possibilities like what you can do here like Providence and all these other conversations come up I'm hoping we can define the scope of what notary is taking on being the signing of content regardless of what the content is and show opportunity for other projects to leverage that like whether being the S-bomb or the build to source thing that Vincent was doing is that now there's confidence that I can put stuff in a registry and sign it and trust it so but there's this but we as this working group have a scope of we just sign stuff I think if we can get that and identify what's needed from the OCI spec optional or not then we can finally declare the OCI image spec outside distribution spec a 1-0 start getting teams like Derek and all the other container defaults to start paying attention because this thing come in their way and it's on point so okay anybody else wants to state what they would like to see within the next month the next month yes you've got a gook on here what can we move I mean the prototype continuity plug-in would be more we desirable a continuity plug-in that can validate any signature from a registry just to show the concept without of just as a spec I mean more than a spec so basically a plug-in that takes that implements some sort of a rough code you want rough code even before you document the spec you're like whatever I mean because the plug-in has to be driven by that at the end yeah anybody on the bridge since our next face-to-face will probably be a coupon EU unless that's canceled because of the virus you're saying what do we want to see anybody have any min bar they'd like to see sign that virus to keep it contained he did say continuity anybody I know John's been on there he's said a few things mostly by comments anybody else John did you drop don't know it yeah he did Radu Trishank Marina no from from Mars from my part of this no I did there's nothing that there's not a minimum thing that you need implemented in a time frame so if there's anything to help this process we want to have I agree with you I do as well I'd also want to get an understanding of the management requirements a lot of times making key management to the EU they just have a lot of problem really good do you want to think who's sort of like what does it actually need to configure trust right if you're not taking an out of event action to establish your trust we're kind of going back to almost like a similar to trust on first use model okay I agree yeah and this ties into the user experience for both building and signing and validating how easy and how difficult is going to be for users to set up all this okay cool I think that's definitely an important thing because I feel like we keep talking about it and we're not like starting to sort of deepen there but I don't think we'll do that by meeting on a weekly basis continuously so we're just going to have to break off and do that right so I can definitely participate to make sure notes are being taken and all of that's there but somebody else is going to have to drive that and from our last kickoff from the kickoff it was Justin right you had taken the key management piece as the main owner was it was it Justin? he's all memorable and so it's in the notes yeah it is and I know from our side it would be yeah slash Aaron that can participate and that that will give us a right blend but we'll need somebody from at least another couple of registries to participate as well who so we've got somebody from and you Steve you had suggested that you've got somebody from ACR or from Microsoft I'm meeting with some people tomorrow too just to see if they can participate in this project and otherwise we can definitely at least get started yeah go so you guys you have we're all on flak right so maybe you guys can find figure out a way to meet and chat yeah sweet think what do we want to do by next week I think do we want to obviously I want to hold my own self accountable because we're getting some of the some of the some of the some of the some of the some of the some of the some of the I know everybody's chomping at the bit to try to get some designs and it's like some of the big things so we want to try to certainly start getting to the conversation with Sam put forward so how many weeks weeks between now when do you actually take off vacation Sam? I'm I'm out for just just different reasons and a bunch of merch so I will not be here like starting like more the entire month should we assume or so I'm here on Monday I will be available again Monday of the 16th Monday of the 16th and Monday of the no that's it okay so the ninth you're out I'm out the ninth and then I'm out like after the 16th pretty much through Coupcom yes okay do you think you can get the stuff written up for the second so next week we can I feel bad that there's a bunch of people I can't make this time zone that have been interested in like to do some kind of I'm gonna I'm gonna try to do that I can't it's not gonna then make it until I'm back 16th yeah you would would you make it by the 16th then you don't make the second yeah okay so I'm gonna I'm gonna it's anything I can do to help I'm gonna know you like with some other stuff that you've been kind of poking at but no I have I just have my new job yeah that's deliverable too so so true that you're the one I'm so trying catch up on this freaking artifacts high on high on a registration code okay cool who who's getting this recording or post I don't know how to get you're you're a fun I'll find that word I'll find it I'm using I mean and see it's going somewhere thank you that'll help that'll help just Vincent even though I can't see Vincent listening to four and a half our recording and who is going to Kukan obviously the three of us anybody else okay okay so tentatively assume Monday afternoon we'll have on Monday Monday afternoon afternoon okay we have we have every day container day on Monday AWS container day is on Monday yeah but you don't have to be there for I'm not I'm deliberately not going to do any amoring with customers on those days there are enough Kubernetes people to do that you should be able to get that yeah I mean I'm I mean I'm yeah the assumption is unless you're presenting that there's people that are covering it and it is the opportunity that we can break up because if I do it anytime during the rest of the week there'll be some other session that you're going to want to attend so Monday afternoon Monday afternoon as long as we have their Monday morning slash Sunday evening we get to leave some Seattle to get here on Monday at 9 a.m. I think they are the next day coming back it's nice going there if I have good things it's from this way anyway cool it's a train ride all right so for those on the bridge the notes are up there thanks that Shashank and thanks I do and Marina for putting stuff in there and John as well a little bit to drop so thank you thank you all right all right get on here thank you all right bye picture