Re: Notary/TuF & GPG (& Harbor)


Brian Grant
 

Follow-up questions on Notary:
  • What is the degree to which trust is tied to the distribution mechanism? Can image identity be asserted independent of the distribution mechanism and, if so, how is that identity expressed? As a concrete example, if an image were pushed to multiple image repositories, would it need to be signed multiple times, one for each repository?¬†
  • Could attributes other than identity (e.g., passage of certain types of validation/qualification tests) be attested by this mechanism? If so, could they be created by someone other than the image repository owner?
  • The main benefit compared to just signing an image digest is revocation?
  • Who owns¬†https://github.com/theupdateframework/tuf ? It's not clear from the readme or authors files.
  • Is there any doc that describes the important distinctions between the capabilities of TUF, Notary, and DCT?
Thanks.

Join cncf-toc@lists.cncf.io to automatically receive all group messages.