 Good morning folks Or a good day is actually depending on where you are. I'll give folks a couple of minutes here. What? Did I miss something? All right, we've doubled our audience here It's always interesting these time These time challenges Hello there Ralph. What part of the world are you even in? We're in the world is Carmen Squalachi Does it matter? I guess it doesn't really matter I'm in Italy So CET very cool. Yeah, she way Okay Let me Actually pull this up here So the I wasn't sure if the house was gonna make it today for to cover his key management stuff so He didn't get on the agenda and I pinged him so we'll we'll see how that goes The main item we have in the agenda today is the stuff. We've been talking about on the prototype if you remember several weeks ago, we were talking about how We wanted to kind of build something and learn a little bit the We have lots of people coming in with their expertise in different directions. We were kind of you know making the analogy of you're building this house and You have lots of skilled labor coming in and they just want to do their thing But they don't know where to do their thing in the bigger picture So I was kind of using the analogy of In fact, let me Gaudi in how he's created some of his sculptures or not sculptures. I guess they are sort of sculptures where he created a model and That helped people interact and figure out where they can plug in So for instance neos has been focused on the key management portions. He doesn't necessarily know as much about The images and you know artifacts and so forth, but he knows the key management scenario is really well So he's been driving that effort Likewise, we've been talking about signatures and then other things with tops So we wanted to be able to kind of put this piece in place and then we'll keep on iterating and as we Get more and more through it. We'll learn more And go from there Justin and I were joking Cormac and I were just in the other day about building out the bathroom for this house, we don't so you know what the whole thing looks like and It was like it doesn't have a bidet. It's like, I didn't know we needed one. So now we can talk about putting one in So just kind of give an example of that So let me share my screen here. So we put out this PR That is that kind of next iteration the we had the original one Which is kind of talked about the process Well, we originally had the scenarios that we've been talking about for offline management and so forth and I'll walk through those And then we talked about how we wanted to build out this model so we can kind of build and learn and have something to discuss upon So this PR here talks about The workflow that we've been talking about that in a build environment outside of any public registry It's in some vendors some Projects environment, whatever that might be they can create everything from a docker image to an S-bomb of that image to maybe packaging the source and Bundlet and sign those individually Or sign the collection of the index and actually that alone is something that we that stirred up some good conversations So we'll talk about that Wherever that thing's built it's built by a certain entity it would be signed by that entity and From that their registry, which is like the original registry where it's created. They can push it to a public registry And then as users use it They could pull it to their private registry because we've been talking quite a bit around You know best practices are always about pulling him into your own registry Even though it's public content. So this way you have your own lifecycle control management your security boundaries your isolation from DNS as we've seen And you can deploy it in your environment and in that environment You are more than likely going to put secondary keys on That says regardless of what happened upstream this I only trust stuff in my environment And I'll talk a bit about this in the scenarios section we have down below So the prototype Focuses on the stuff that we put in the NV to org or the notary project org where we have the distribution Spec that's there We'll come back to that late. Well, we're phrasing to go in order. We've actually numbered these things So we have this NV to client which can do signing and verification. That's all it does It doesn't do push and pull its job for this prototype is just do signing a verification They could sign any OCI artifact and it would generate a signature and using your as client we can push and pull Things to a distribution registry The like I said the distribution registry portions will come later We've been working on some stuff there But we really wanted to focus on the signature aspect first because we know we can push and pull stuff to a registry So for this scenarios and this this is the interesting one that's kind of been Trying to find the balance of some of these things So we have the scenarios where basically we're gonna for now we're focusing on x509 cert the way she way Has built this which is really cool is that there's a couple of different ways you can do Verification objects a signature is one of them. In fact x509 is one choice We we had a GPG in there, but it seemed like that was adding more confusion so we pulled that out for now the the point was we can do multiples and The belief is that's where we were bringing something like tough as well So in this first phase we focus on just a core signature and we'll go through this experience here So the things like with Docker Hub makes it pretty interesting is that you have this public content that is Certified well, sorry if it's public content and there's these two categories. There's the certified certified content Which today is really a badge, but we were trying to think is like how could we make that more robust and more trusted? And then you have this community stuff that we don't want to limit Which also which has the wide range of some of the best projects in CNCF to Who knows what that is and in potentially bad content? So there's this wide range and we don't it's really hard sometimes to judge that range other than voting and so forth But we definitely wanted to distinguish this is between the two So the public content would actually be sorry the certified content could actually be signed in addition to the vendor It might be signed by Docker themselves as part of the Docker Hub certified content So the idea is that in the public content We're using the same hack me rockets one where they're building from public content, which they might have in their registry and then they But in their environment that they run their code They only trust stuff that's from Docker IO and acne rockets. In fact, that's part of the build process that will walk through here So the user discovers some certified content. They wish to acquire they copy the URL And they pass it to their Docker run command So in this case, it's Docker IO and I've shown that just for the clarity of of course, we don't need to specify that Hello world latest The user already has the Docker IO certificate certificate Enabling all certified content from Docker Hub and I'm totally hand-waving here on how they acquire their certificate Because what we've said is we really want to let the key management folks kind of focus on what they want to do there So we're hand-waving that for now One very just justifiable thought and I'm totally making this up is that because this is the actual Docker client Maybe and it's working with Docker hub. Maybe it can acquire the Docker hub sir I'm not sure I buy all of the security aspects. I'm not even gonna try to defend those right now, honestly But the idea is that there is this experience where That sir is trusted and there's like there's no tofu model in this case So because that company has locked them down to only allowing these two Certificates these keys to be used the image runs and verification passes just fine Now the secondary to one is the user discover some content same thing There's this awesome network monitor. They think looks like they think they want to use again They copy the URL they try to run it But it fails because in acme rockets, they've got trust required in even the parameter name. I'm just making up and you know enabled and As a policy and they don't have this Wabbit Networks Certificate so when they try to run it'll fail Because it just it's not allowed so the user can To say and again experienced here aside, you know the user can either disable the trust required key assuming their enterprise would allow that policy or they have to figure how to acquire that key and There's lots of ideas of how they might do that again, we're gonna ignore that for now So the user requires the Wabbits key They decide that that is an entity that they want to trust they save it and whatever the local store means again Hand-waving on key management, but now they can do the docker run of this thing because it's they do trust that entity So I'm gonna pause there for a second and I realize I kind of skipped on the agenda So I wanted to go through the scenarios including the private registry Scenario and then I was gonna hand off to shiwei to actually go into the detail of the signature design Hi Steve, so I was sharing your screen because I cannot see it I am are people I'd never actually paused to ask did anybody not see my screen? No one so your screen Steve All right, it is 7 a.m. You were charming Thank you all those keep them in snow. I was there thinking Steve's decided to do this just by talking without any screens Can you guys see my we still can't see my screen, can you? Yeah, we can now Okay, I'm not getting the border. I had the border that whole time. Do you see just one screen? Just the the nv2 prototype thing. Yes Okay. All right, whatever. I must have gotten some update or even know whatever So what I just walked through was this experience here this picture here where the nv2 client signs and artifacts Generates a signature the or is client pushes it and this is basically the content of the read be of that PR So I went through this section here And the only thing I was gonna do actually did I even cover this one? No, it's actually okay. That's fine because now that I've done sharing my screen and walk through the whole thing Let's get hand off to she way anyway Any questions on the scenarios before we drill into the the signature stuff itself Hi, Steve. I do have a question. I thought earlier I was when I was in the meeting you mentioned that one key scenario is You know keep the signature valid As you know when it's moved from red one registry to another if that's still it within the scope Absolutely. Absolutely. Um In fact, where did I she way? Where did I put that content? Is it in? I could have sworn I read that. Yeah Oh, I see it's in the signature specification goals So here so why now that I can share my screen and everybody can see it So we have offline so on the signature specification page and this is the one where I went she way to drive But I'll just do the goals to answer your question Daniel and then I'll get out of the way So offline signature creation So in fact when he creates the signature we're actually doing it without a registry even in the picture And there was an interesting thing around images that we've at least temporarily filled the gap I say template's clean. I'm not sure where the container these stuff lands in the space So with the signature Created you can persist it with an OCI artifact enabled registry And artifact signature is copied within and across and when I say within it's within a registry We can go from repo a to repo b so dev to staging to production Or from a dev registry to a production registry or from Docker hub to a private registry and so forth We want to support registry public registry acquisition of content with a public content. Maybe May public registry may host certified content as well as public content So or non-certified. That's the community stuff that I was just referring to We'll support private registries where public content is copied into And the new content is originated within so within my Acme rockets company. I've got lots of secure rocket technology that I don't want that IP public So I'll keep that in our private registry And air-gapped environments where the originating registry of content is not accessible We also want to support multiple signatures so if you cut what I was just referring to is the The Wabbit networks has their own key that they build themselves. They then host it on Docker hub and at first They're a community content. They actually didn't get a second key So we walked through that scenario where the company that wanted it had to go get the Wabbit networks key and then Eventually it became Docker certified. So now there's a Docker IO key on it as well So it's it's got that additional trust, but when I pull it into my environment I actually don't trust anything other than the Acme rockets key So there is that multiple signatures and the last one here is maintain the original artifact digest and tags So that when the DevOps workflow that says deploy Network monitor version v1 that I don't have to change that tag or it's digest Depending on the choice I make to move it through the workflow the signatures will always be Associated with that tag and digest. We're not, you know, changing so a good question is Is revocation included in the signature model so that if something were to happen to One of the private keys that you trust is there like a way built in to kind of revoke trust in that key Yeah, so key revocation again, isn't that key management portion? So I Know Niaz has been working on that. There's So I'll defer to them on that one. But yes, we definitely want to keep that in mind But not in mind. We want to keep that as a very core scenario And the only reason I didn't put it here is I'm just kind of leaving it in the whole key management stuff I believe Niaz is PR on their key management scenarios covers that Okay, yeah Any questions before I hand it off to Shue. I'm sure you'll have lots of questions for him Shue, you want to take it? You want to share your screen and just walk through your signature design? Yes, let's all confirm we can Yeah, so so here's the thing is the proposal for the notary public loan signing signatures. So basically we can sign Manifest based things like outside image index outside image manifest dog image manifest list dog image manifest and Oh, and we can sign everything and offline. Yeah So it's pretty simple that we can generate some X file and I said and the keys before it is for example here we it generates keys for the for the registry example calm and The key is the example key and so it is the example start and the certificates Will be something like this one. So it has two parts. The first part is the actual content. So in this scenario it is the expiry time or before an issue add digest digest is the manifest digest and the size is the manifest size and The ex cp means expiry. So as the Siner I want this sign content to be expired after a certain time and of of course This kind of things cannot be valid before a certain time at the time is the unit's epoch time and Here's the volume color the issue at actually It's the time that the signer sees these this manifest and There's also a public call references. That's the original references of this tagged for this manifest that is claimed by this signer and In the signature part currently we only support the X file 9 type It has a signature and the chain of the X file 9 certificates and it's used to sign all reason of the 256 which is the IC plus the shot 256. So basically only the People who has the key for the third of the registry example calm can sign a content with the reference Of the domain name of the registry dog example calm So if you have if you have no sirs, you cannot say okay, this This manifest comes from This original tag if you have a Cert of registry other example calm you cannot sign it but you can sign something like Registry dot another example calm slash hello words or something else So This file is just a file that means it can be stored on your file system or it can be stored in on to a OCI Compatible registry via OCA artifact. So in this case, this is a command showing that we can use over us to push the Signature to the remote registry as the artifact. Of course the The signature is stored as a manifest config where the manifest has no layers and That's the details of the sign part and the signature part and I just give you few Second to read the through Sorry, could you just paste the URL of this page into the chat? Yeah, sure When your screen sharing it's a little hidden hover over the screen shared one bar at the bottom. Yeah Just look for the screen chat session there I've sent out the URL Perfect. Thanks. Yeah, and here's the example of the exponent signature and And Yes, you don't wish to show the certificate chain in your certificate I mean in your signature you can use a key ID instead any questions So I will say I I apologize. I did say last week. We're gonna get up the PR early So the people had a chance to review early and not assume they can review it on the weekend didn't get it out as early as I wanted so We obviously not looking for final feedback today. We want people to have a chance to digest everything and look it and this And and the registry Protocol enhancements that are somewhere else in the documentation This is pretty close to where I've ended up with as far as the design goes but I fairly skeptical that it is can just be Enhanced or generalized to encompass stuff or anything like that without too much structural change If you are going with this, I think we are To an extent commit into a design a design I like but still I just want to put it out there So just to reiterate what I think I heard you talking about Milo's was the With this is a sketch like we don't expect this to be the final This is like putting the bathroom at design out and Justin comes over and says but where's the bidet? I'm like, oh, we can think about it. So where do we need bidets Ralph in colleges? We absolutely have to have bidets. So where's the bidet that belongs in here? One of the things that came up was some encoding conversations because we focused mostly on the content of the signature in this one We know that there's a long-standing Conversation of canonical Jason and others and we've been reaching out to Trishonk and Radu for some of the stuff They did with CNAB to understand how they you know, or dealt with it there We've talked about it encoding and some other stuff Derek had given some feedback that honestly I had to record it and We need to incorporate that feedback so we can bring that forward as well But what was so I wouldn't view this as any kind of file of design yet It's like I said, it's that sketch to facilitate that conversation But Milo's what what is what are you if you were saying something there that? You felt like we're missing already or what was that concern? not really a concern from my point and just Once you have a CLI or a model that works with individual files like this. I imagine that Modifying is this to also support or somehow intercor Incorporate or abstract the tough model, especially the Recent versions there ever single power registry state that is signed all over It's just not going to be all that easy So that we are basically committing to a direction by stopping with this prototype whether we want to or not Yeah, I guess I just kind of reinforced that we're we're not done yet We kind of think about as a phase one and we'll do more. We don't expect anybody to start using this yet Other than to say hey, we're where's the bidet, you know, what else what else do we need? So for instance the encoding was one of the things that came up that we want to be able to That we just need to digest a little bit and and put you know put that feedback in I Would say that as far as like a notary v1 or docker content trust we've said from the beginning that this is a breaking change We're not trying to incorporate that we don't have enough usage of the old one that Says we have to have absolutely support that for the registries that do support our docker content trust That can stay there as long as they want For customers to move over we in ACR we follow this carrot and stick model You know, we we don't try to deprecate something and force people over we try to provide a new feature and The new feature should be so much better that customers move over self-select and then only after the majority of customers have moved over And there's always some remnant Because the remnant is doesn't care about the new scenarios. They've automated some tooling around it It's not important then we come back and we contact them and do the stick kind of thing So my hope is whatever we do with notary v2 In the final design with the bidet that customers will opt in themselves and we won't have any, you know, then they'll re-sign if you will The their content that we're using docker content trust and notary v1 they'll re-sign it with mv2 notary v2 And you know, they'll make a smooth transition over. You also mentioned something about the registry. There is some stuff in there about the registry APIs. We're still early on that. We're even debating amongst ourselves. So Hopefully we can get to that next week. If not, it might be the following week, but we certainly want to get more feedback on there We just don't have enough of the the thoughts written down to have a good discussion over it. So that's why we're We're not ready to kind of delve into that part. We've got a bit of a tease in here just to get the ideas out there Daniel, we did you want to say something? Yeah, I'll talk into another guy in the chat window, but I Mean in this Jason object, there's a reference which has the host name, right? When you move this to another registry The URI of the, you know, the artifact will change. So how does this still be valid because the host name has changed and it's moved to another registry? Great question So from a scenario and this is one that actually was pretty cool that we that we were discussing Let me just I'll be shared so we can I will actually make sure I'm sharing it So I believe that sharing it now, right? Can everybody see? Yes, thumbs up from Ralph. I got a visual thumbs up So this one was an interesting when they came up and at first I was kind of digesting what the guys had come up with as well The idea is that if and I was debating on using example or acme rockets and or rabbit networks or whatever So imagine this was I'll just use examples So example.com is that community content that pushes up to Docker hub and now I pulled it from Docker up It's totally valid that it's from Docker hub. All it's saying is that this has some original Content associated with example.com rabbits network calm And I can get it from anywhere. There's nothing that stops where I get it from what's really interesting about this though is I promote this from Example to Docker hub. I now pull it into my org the Acme Rockets org In the Acme Rockets org I can now sign it. Well, I take it. I scan it I run some unit and verification tests against the thing and I decide that this content is actually good for my environment So now it's certified for my environment So now I'll give it a secondary or it might even be a third because there's examples in Docker But then there's an Acme Rockets key that I put on this. There's a whole another signature object this remember This is this object doesn't expand. There's a secondary Signature object that now has Acme Rockets registry dot Acme Rockets dot IO Example latest and now in my environment if I go all the way back up to here So as example here goes to Docker. I bring it to mine in my environment I put another signature on it that says this is Acme Rockets signature and it'll have it registered at Acme Rockets dot I something And or dot something and now in my environment my opa or whatever policy agent I want to use will say I will only deploy content that has the Acme Rockets key and It will only deploy content that came from the same registry that I want to secure So there would be another signature object that says registry dot Acme Rockets dot hello Sorry comm slash hello world And I should put more read me content out there to explain that There doesn't even need to be a separate signature The client which is already somehow configured to have a set of trusted public keys can also have a set of mappings Let's say for this project This must be example dot com slash hello world and if it doesn't match the upstream registry would be rejected So you can have done verification with mirroring without too much extra overhead You're absolutely right, and I'm sorry. I skipped the obvious one if you remember back here Here in this example the customer is set up to accept anything from docker.io or Acme Rockets dot IO So and let's say their public content Let's say this is a rabbit networks and that So sorry, I'm having a hard time trying to explain what should be clear Yes, whatever search they want if they want to accept the public cert from Wabbit networks To in their production environment that is totally valid I was trying to explain the scenario where there's an extra cert that you can put for your limit because in the case in that case the This URL when it comes from Wabbit networks or in this case of this case, here's the third that's actually is Acme Rockets You can put you whoever signed it puts the registry name that they won on it Daniel did that make sense or did I just confuse it by bouncing around too much? Yeah, I think it makes sense to me, but I don't recall the detail of TAF, but I think this is a different model from what TAF does, right? Do we have any no maintainer of TAF to comment because I think This is something that TAF believes You know has I would say it's flawed. So they make all this hierarchy stuff to solve some problem. I don't recall the details of TAF, but I think You know in some Session of TAF they mentioned this model is flawed or problematic Well, I think that One concern that TAF has is that if something like Acme Rockets.io was compromised How would that affect the security of the system? Because if the system's trusting That this came from this server if that server is compromised you then lose the That integrity So you need to make sure that there's like other Aspects of it as well so that you make sure that the signature can't be compromised if the Repository is compromised basically So whatever key is used to sign these files I think this might get into the key management, but whatever keys used to sign these files if that is also stored on this Acme Rockets server then a single server compromised then Gets rid of the security of the system Which would be the concern there I think So yes, we this doesn't this isn't the tough model at this point. This is what we called phase one we As we've been going through this over the last several weeks one of the things we've been discussing is the struggle of there was some stuff around tough requiring that the Requiring the assumption is the client is that secondary has some metadata on it. That's a secondary validation And it to support the rollback problem. We're not trying to solve the rollback problem in this particular prototype This is it's a pure signature. It's a trust that the signature the keys are valid until they're revoked So it's more pivoted on I don't say it's more pivot on the private Registry scenario, but it's the ability to move stuff into private registries So this shows that how we could sign something have a key associated with it and move it across environments As we get more of this figured out and you know in those details We want to be able to go back and address the security and usability aspects of tough related to registries We do want to support that secondary verification But in the container space we can't assume the client has some previous state We refer to it as the ephemeral clients where every time I start up a new environment in the serverless Container space that there is no previous state on there There has to be some acquisition of keys and acquisition of to to validate and we want to dig into that more To make sure we can get both the security and the usability of tough to figure to fit into this And that'll be part of the phase two work Steve if I may yeah, please so I that makes that explanation makes perfect sense to me the thing that I'm wondering is that Without the assumption that is also not in scope for the prototype currently being placed somewhere that The question of an incompleteness of where we are right now will be Abstract so people will come into the project go out of the project for a moment and we'll come back in And they won't really know what this addresses and doesn't address So I think it might be really helpful like what you said we're like it's not in scope for this step of the prototype Right. I think it would be really helpful if we actually documented what that situation was the use case was and Said that this is an open issue for future phases that we you know Let's draw a line around that whole Scenario so that we don't get distracted by what this doesn't do because in focus on what it does That makes sense. No, it makes perfect sense. I was just making a note that we should We've had some of the we've had all the scenarios written down I can read the exact numbers then we'll have the key management scenarios I think probably creating some kind of grid that shows here's what we're doing in phase one Here's what we're doing in phase two. Here's what left and we don't know what phase three four or five might be yet Have these open issues that we want to solve that that's a great way to communicate that I'll I'll volunteer to help you out with such a matrix because I think that would be for people who aren't here every single week That come in and go and of course, we're all very, you know busy With the entire world right now that would be super super helpful for people to understand like what phase what has been tackled But it's still not addressed and things like that. I think that would be good. So I'll volunteer for that help Sweet thanks makes perfect sense Anybody else? I was looking for the chat session. I explained the shoo away where to get up and now I can and find it You have to stop sharing to get oh, there it is. It's the orange one popped up right there I just put in the hack MD link in there because I noticed people we don't have any notes or even who's here So please sign yourself in there so we can Help there any other it's got to be other questions. It can't be that simple Whereas people just need more time to read through which is perfectly fine Actually from my perspective, I think I need time to read through the specific details But the fact that clarity on what you're trying to achieve here and what isn't being achieved is a great step forward I think so that makes it possible for us to focus precisely on what is here So not just write up the things that Daniel was saying to be more crisp about us trying to explain But also put this table in which I'll definitely take your volunteering of To say here's the list of things and here's where we're at now and what will come later Yeah, I think it also helps because uh, it makes it makes it clear the progress that we intend to have through the work that we do and That I think will help everybody feel a lot more comfortable at a how we're addressing every single situation and what isn't addressed explicitly So then the things that aren't addressed explicitly at any point in time become very clear subjects that you can discuss As opposed to gosh was that address or did we just forget or you know things like that sounds good So we we do have a little time left um One of the things we said is if there's some time we can walk through what we what we've been iterating on the experience And the experience has been like this loop. It's hard to kind of come up with this design without having the nb2 Like a nb2 client experience that generates it So the the one thing that I'd actually say is for people to kind of take a look at This is the one area. This is the signature object that we Are creating. It's actually a formatted version of the signature object to be clear Normally it's non-format in no white space and that's part of the canonical conversation. We need to drill into but We also got some feedback that you know, basically having this even split and encoded in a way so that you can retrieve the information That the decoding of it doesn't create opportunities to hack into it So anything along those lines would be great feedback too For that the not for that I'm going to stop sharing and let shiwei pick up if you wanted to walk through the nb2 client experience Just to kind of get a feel For that interactive experience Yeah, sure, uh, just let me show my screen And while it's early for me on west coast, it's late for shiwei. So we're going to give him some patience for whatever he types Okay, so Yeah, that's good Okay, so so you can see this window right Yep Yeah, that's good And the first thing first that says we have to generate the case for the x4 and i certificate And this is copied from the Irving to Documentation so just let me Send out the link for you guys Or where's the chat window? It's the top one in your screen share. Yeah. Yeah, I see that. Yeah Okay Yeah Okay, so Yeah, so I generated uh next step is to uh Just let me Have a hollow words Just right here and let me create a doc file to To create an image so we find our pine Uh, just do a CMD echo hollow world Very simple one And then we do a docker build uh That's tea. Hello And Here we go And uh, we can do a doc around here Hello Hello world And later, uh, we uh, so to find it we have to generate the Generate the manifest for this Uh image because docker does not Store the manifest in the system where you build it is only generated when you push it. So I created a Uh, a doc CLI plugin to generate the manifest so Just let me Send out the link for the The tool I have So here's the link so When if you have the doc generates the plugins installed you can Generate do this doc generate Generate manifest Hello and Uh, all to put it to a manifest Dock JSON file Can't hit we say jq here So this was the conversation you guys might have heard a couple weeks ago where we were, um Having this conversation where the manifest should be created stored saves and what the formatting of it will be so, um for now She way just built this manifest generation tool, which is pretty cool and we'll incorporate that What should be in the manifest generation and signature is going forward later on, you know, as part of a future conversation So, uh, this manifest will be exactly the same as the one, uh, that's the doc Push will be pushed to the registry Okay, so next let me do a me to sign Sign dash m x file nine And we use a key, which is the example key and The third with the example doc set and we can specify the expiry time like one year that is 8,760 hours and We can satisfy the the references like registry would call Yeah, so registry example Slash maybe a call hello world Slash latest or 3.0 And a file here a manifest file And I think that's all and of and of course, uh, let me output it to Signature.json file So when it's signed it outputs the digest of the, uh, manifest So let me do Uh, cat stick it's the signature. It's not human readable. So let me pass it to jq So if that's the how the signature looks like So, uh, what if you if what if you try to sign a Image, uh, that is not from the registry.example.com. You will have this arrow So the certificate is the only valid for the registry.example.com. It's not valid for registry.example.com Hey, and of course you can sign without any references I just remove that and the expiry date is also optional so It just signs the digest and the size without any Uh, other references or expiry dates Like that, but it has a issue the issue date All right, so let me find the original one To verify it You type the obi to verify uh and Of course, I need to specify this third for the uh I mean the root third for the Uh, for the signature because it's a it is a self-signed signature. If it's not a self-signed it is for example, it's a c That is The certificate from the the system pki then you don't need to pass any certificate to it and also The manifest for the the signature file and the manifest file and It verifies on a successful verification. It outputs the digest of the manifest and also the return volume of the Process is zero and that's the standing process of the normal v2 one and In in some case, you don't want to Store the certificate in the x in the sick file. So you just want to have a key id instead. So in this in that case Six two and remove the third part and the signs and Of course, you can verify it Let me catch the six two first The signature with the key id for the third And let me Verify it verify That's the third for example. Oh, sorry. It's example third and file Manifest also take the the stick to file Yeah, and it's verifies so Let me try other thing Let me sign something without third and the first signs to another registry for example, registry 2.example.com In that case because the third is not passed to the mv2 sign. So The domain name is cannot be verified at the signing time Okay, so I sign it storing the stick does takes some file Let me verify it If I see the third And And the signifies the stick takes some and the manifest file is the manifest file And it fails always return value of one And saying that the certificate is only valid for the Registry.example.com is not for the registry 2.example.com so So that's the local signing and verification Chile One thing I was just following I think I see what the difference is but can Originally when you try to sign With registry 2 because the cert was only for registry.example.com this the signing failed. How did you get that to sign this time? Because I don't provide the The certificate at the signing signing part. So there's no dash c here So you just provided the key not the certificate? Yeah, so so because without the certificate The mv2 does not know the domain name of the Certificate so it cannot verify at the signing time Gotcha, but you can verify it at like this. This is an example where you'd still catch it on verification Yeah So just okay, so just let me sign here Sign it again using the using the pop key and the pop domain name here Sign this one and verify it and verify it Okay So do you have a question as moment? Just we want to be really careful to always appreciate everybody's style of communication So by all means, you know slack Issues feedback on the issues is also awesome. So whatever works for you guys If no questions, let me continue Okay, so actually shoot. Hold on. I just noticed the comment a major concern for me is that the verify The verify step must at least allow and preferably direct the fault to verifying the reference against the expected value prevent trial Trivial substitutions and attack. Just take a look at the notes there an attack. Oh, okay, so You're actually asking about the versioning thing. Is that kind of the root of your question? I think I've been precise The way this was demoed, the certificate is matched against the host name or maybe the repository But there are not needs to be needs to be something that enforces the whole the full identity including versions of the images I'm not a great question replacing images like the latest tag But if a client asks for three two, the client needs to get needs to get three two Shoei, can you bring up the full signature example or just scroll up? You've actually got it in your output there where you've got No, I know that the signature format allows it Is just the verification implementation current currently doesn't know that's fair So remember what we're trying to do here and this is like the rollback scenario You could say is not in scope for this phase one Okay, so let me just point out something tell me what I'm missing then because this is exactly the bidet conversation Right, like where I want to make sure we're all I'm capturing what you're asking so Where the thing that's gets signed is hello colon v1.0 and you could put hello colon latest and v1 You know, whatever those list of tags that you want the verification is just saying that this was signed by registry.example.com It's not making any statement on The which that the specific tags and so forth What we did incorporate in here, which was really cool because I hadn't thought about this until I saw what he'd come up with Is you have this combination of the digest and the list of tags the What regexes or what other opa policies or other policies you put on looking at the The references and so forth. That's completely up to you guys and what whatever the user wants to use here So all we're saying here is that this thing is signed by the entity and it's not making any attestation to or trust section of Whether it's a v1 or v2 or v3 that's you know in your deployment scripts You decide I want to deploy v1.0. I want to deploy v3 You might have a policy that says I won't deploy anything that it's hard to say less than with with tags, but Certain things you could exclude as part of your policy. That's the the versioning history is not really in scope What we're trying to accomplish Is that what you were getting at? kind of I mean the the signature format clearly allows what I what I want to happen The thing that the client's tuning must also Anticipate it and support that enough to be practical in the workflow So if there is a verify signature step that just says fine The image is pulled and run and the user is then tasked with somehow matching the The signature with the expectations. That's difficult If the verification step explicitly Requires the The reference to match Then we will have to talk about how that is implemented. What is the policy? How is that configured? and If we do that together with the configuration That specifies the trusted truth keys or trusted CAs and so on it is a much better user experience Because it does logically belong together So the thought process is security is multi-stepped But it shouldn't be so complex. I agree with you. I obviously I mean What do you ultimately want as a user experience is to just say docker pool Registry example consulate. Hello. We want zero And for the signature to be automatically Downloaded automatically verified automatically enforced Agree the best case scenario Complications that are going there is going to be configuration that needs to happen in advance But the best case scenario should be absolutely transparent 100% So the in fact we talked about doing like a docker-nv2 client as part of the experience But we're trying to be careful on how much experience we got into what I what I think you're kind of getting at is Think of it as this workflow that we could incorporate together There imagine you had the first to just verify the signature is good And then you had a policy manager that says I only expect this the policy manager could actually incorporate the signature part as well I guess that's fair So if I knew we're just kind of you go ahead Ralph Well, no, so if I understand what's what's being discussed and I and I want to so I'm going to try um Basically what we're talking about here is componentizing each individual step Must be required in the manner that the end user of course expects them all to have been done But this particular step you're demonstrating here really is just a portion of that And the end user experience will have to have all of them in some form We just haven't demonstrated what specific form yet Is that seem fair? So for example, the the the question that I just heard was like well the docker poll call is the user experience So all of this has to happen Inside that docker poll call in some way shape or form Whereas what we're really doing is making sure that all those features are possible Where they end up in terms of the the actual experience of the user is tbd. It hasn't been you know figured out yet that What do you think that makes sense? Based on what i'm hearing or am I Out in left field somewhere maybe The reason I ask is because it did sound to me like what we're saying here is that the verification At deployment time is simply not part of what we're seeing right now Right what we're seeing right now is the signature Capability so from my perspective thinking about like a matrix of stuff that it isn't in this phase For example, that would be one of the empty boxes. So it says nothing about the deployment verification of this Yeah, I think that's a good way to approach this Is that a does that seem like it? Describes the world you feel like you're looking at Once we get further along and we're at time. So we'll wrap up here on that We did want to demonstrate how opa for instance as an example could incorporate this as well So we'll we'll start to see some of these pieces more clearly come together But the point you're pointing the thing you're pointing out is exactly the kind of pieces that we want to componentize to make enabled through the experience The problems if we put too many of them together Then it gets overly complex just to start And that's my personal opinion. Like this is what docker did really well docker rink and their cli is it's it's Progressively just progressive disclosure. You start off by saying docker run. You don't do a poll. You don't do anything. It just works And then over time you keep on passing more information to and you get more and more values So the first step here is it's just signed. It's it's valid. It came from example.com That's like the trust factor I want when I want to add additional policy It says, hey, I don't want these other versions. I only want this version and these other Things specific to it. That's a next piece we could layer in and This has been the longest the biggest part of the whole conversation of the usability has got to be there Security is only as good if it's usable if I put 15 locks on the door And it's so difficult to open every time Somebody's going to jam the thing under the door to keep the door wedged open And that kind of bypasses all security. So we want to make sure all that's incorporated in the usability If there's nothing else, I do want to respect everybody's time. We have the recording We obviously have the issue up for uh, or the pr for people to comment on so please do We have the slack channel for all kinds of conversations We'll discuss this week whether we want the 7 a.m. Or go back to the 10 a.m. Pacific time Sorry, I should use a more worldwide clock definition So I really appreciate everybody's time for coming in at this time and uh We'll talk more about when we want to do next week, but Keep the slack conversations coming Thanks, folks. I'll speak to you next week or we'll see you on slack Also, thanks for all the work Thanks. She way he's been uh Doing a ton taking a lot of feedback. So thank you work helps work helps