requirements.md

Requirements

A collection of requirements and scenarios, framing the scope of Notary Project.

TOC

• Goals
• Non Goals
• Scenarios
• Threat Model
• Key Stake Holders & Contributors
• Definitions & Terms
• Contributing & Conversations

Goals

Notary Project aims to address the learnings and limitations of TUF-based implementation, while establishing and prioritizing a set of goals and scenarios for new implementation (this repository).

1. Offline signature creation
2. Signatures attesting to authenticity and/or certification
3. Maintain the original artifact digest and collection of associated tags, supporting existing dev through deployment workflows
4. Multiple signatures per artifact, enabling the originating vendor signature, public registry certification and user/environment signatures
5. Native persistance within an OCI image specification v1.1 enabled, OCI distribution specification v1.1 compliant registry
6. Artifact and signature copying within and across an OCI image specification v1.1 enabled, OCI distribution specification v1.1 compliant registries
7. Support multi-tenant registries enabling cloud providers and enterprises to support managed services at scale
8. Support private registries, where public content may be copied to, and new content originated within
9. Air-gapped environments, where the originating registry of content is not accessible
10. Key hierarchies and delegation
11. Key revocation, including private and air-gapped registries
12. Key acquisition must support users from hobbyists, open source projects to large software vendors
13. Usable workflows, enabled for adopters to easily create and consume Notary Project signatures

Non Goals

1. Trust on first use
2. Implicit permissions on rotated keys
3. Compatibility with TUF-based implementation

Key Stake Holders & Contributors

As we identify the requirements and constraints, a number of key contributors will be asked to represent their requirements and constraints.

Please submit PRs for companies, projects, products that you believe should be included:

• Registry Cloud Operators
  • Azure Container Registry (acr) - Steve Lasker [email protected] (@stevelasker)
  • Amazon Elastic Container Registry (ecr) - Omar Paul [email protected]
  • Docker Hub - Justin Cormack [email protected]
  • Google Container Registry (gcr)
  • GitHub Package Registry (gpr)
  • Quay - Hank Donnay [email protected]
  • IBM Cloud Container Registry (icr)
• Registry Vendors, Projects & Products
  • Mirantis Secure Registry (msr, formerly Docker Trusted Registry)
  • Harbor
  • JFrog Artifactory
• Controllers, Runtimes & Engines
  • Mirantis Container Runtime (formerly Docker Engine – Enterprise)
  • Mirantis Kubernetes Engine (mke, formerly Docker Enterprise/UCP)
• Artifact Types
  • OCI & Docker Container Images
  • Helm Charts
  • Singularity
  • Operator Bundles

Contributing & Conversations

Regular conversations for Notary Project occur on the Cloud Native Computing Slack channel.

Weekly meetings occur each Monday. Please see the CNCF Calendar for details.

Meeting notes are captured on hackmd.io.