requirements.md

Requirements

A collection of requirements and scenarios, framing the scope of the Notary v2 project.

TOC

• Goals
• Non Goals
• Scenarios
• Threat Model
• Key Stake Holders & Contributors
• Definitions & Terms
• Contributing & Conversations

Goals

Notary v2 aims to address the learnings and gaps of v1, while prioritizing a set of goals and scenarios.

1. Offline signature creation
2. Signatures attesting to authenticity and/or certification
3. Maintain the original artifact digest and collection of associated tags, supporting existing dev through deployment workflows
4. Multiple signatures per artifact, enabling the originating vendor signature, public registry certification and user/environment signatures
5. Native persistance within an OCI Artifact enabled, distribution-spec based registry
6. Artifact and signature copying within and across OCI Artifact enabled, distribution-spec based registries
7. Support multi-tenant registries enabling cloud providers and enterprises to support managed services at scale
8. Support private registries, where public content may be copied to, and new content originated within
9. Air-gapped environments, where the originating registry of content is not accessible
10. Key hierarchies and delegation
11. Key revocation, including private and air-gapped registries
12. Key acquisition must support users from hobbyists, open source projects to large software vendors
13. Usable workflows, enabled for the masses to easily create and consume Notary v2 signatures

Non Goals

1. Trust on first use
2. Implicit permissions on rotated keys
3. Compatibility with Notary v1

Key Stake Holders & Contributors

As we identify the requirements and constraints, a number of key contributors will be asked to represent their requirements and constraints.

Please submit PRs for companies, projects, products that you believe should be included:

• Registry Cloud Operators
  • Azure Container Registry (acr) - Steve Lasker [email protected] (@stevelasker)
  • Amazon Elastic Container Registry (ecr) - Omar Paul [email protected]
  • Docker Hub - Justin Cormack [email protected]
  • Google Container Registry (gcr)
  • GitHub Package Registry (gpr)
  • Quay - Hank Donnay [email protected]
  • IBM Cloud Container Registry (icr)
• Registry Vendors, Projects & Products
  • Mirantis Secure Registry (msr, formerly Docker Trusted Registry)
  • Harbor
  • JFrog Artifactory
• Controllers, Runtimes & Engines
  • Mirantis Container Runtime (formerly Docker Engine – Enterprise)
  • Mirantis Kubernetes Engine (mke, formerly Docker Enterprise/UCP)
• Artifact Types
  • OCI & Docker Container Images
  • Helm Charts
  • Singularity
  • Operator Bundles

Contributing & Conversations

Regular conversations for Notary v2 occur on the Cloud Native Computing Slack channel.

Weekly meetings occur each Monday. Please see the CNCF Calendar for details.

Meeting notes are captured on hackmd.io.