Current CX in PR notation blob verify --policy-scope wabbit-networks --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin trustpolicy.json { "version": "1.1", "trustPolicies": [ { "name": "wabbit-networks-images",

Keys and associated certificates used for signing artifacts using Notary could be available to users through varied solutions that provide secure key generation, storage and cryptographic operations. Some are well established with standards like PIV and PKCS #11 implemented by hardware tokens, smart cards. More recent options which use varied authentication and API protocols are remote key management services and signing services by third party vendors and cloud service providers. Notation will support a few built-in integrations with standard providers, and will provide plugin interfaces for users, and vendors to implement their own integrations with the solutions they use. This allows a plugin publisher to implement, test, release and patch their solutions independent of Notation’s development and release cycle. This document provides specification for the plugin model, and interfaces to implement. This specification aims to work both for existing and future signature formats adopted by Notary. Terminology Plugin Publisher - A user, organization, open source project or 3rd party vendor that creates a Notation plugin for internal or public distribution. Plugin - A component external to Notation that can integrate as one of the steps in Notation’s workflow for signature generation or verification. Default provider - Signing and verification mechanisms built into Notation itself to provide default experience without requiring to install/configure additional plugins. [We are yet to define what is included in the default experience]. Plugin mechanism Requirements

Notary issue #72 Terminology Publisher - User who builds and signs artifacts and publishes them to a registry. Consumer - User, or systems whom consume (and deploy) signed artifacts from a registry. In the Notary Scenarios Wabbit Networks is a Publisher, and ACME Rockets is a Consumer. Node - The Consumer owned infrastructure (physical or virtual machine) on which the artifact is pulled and executed. Orchestrator - The Consumer owned software that manage aspects like deployment, container placement, and scaling of a node cluster. E.g. Kubernetes, Amazon ECS, EKS, Azure AKS . Node Agent - A daemon on the Node that Orchestrator communicates with to perform actions on the Node (manage container lifecycle, health checks etc.) e.g. Kubernetes kubelet. Trust Store -List of certificates/public keys trusted by the Consumer. A trust store is used for signature validation.

Meeting notes 4/8/21 Discussion about https://hackmd.io/9mc_kvXoRc2GmjOnz0_eYA Justin - Signature expiry Need not have additional expiry timestamp There may not be a explicit support period by a publisher Validation should not fail for expiry time Niaz - for short lived keys