Videos
The Update Framework (TUF) provides a unique level of protection against attacks on software distribution and updates. Marina Moore will discuss how TUF can ensure secure distribution for registries. She will present an adaption of TUF for use with the Notary v2 project that addresses diverse secure distribution use cases unique to the registry ecosystem.
When repositories are compromised, TUF and Notary provide protection so that users are not at risk. This talk focuses on some of the key innovations that make this possible, including self-revocation, key rotation, and integration into supply chain validation software such as in-toto.
Software distribution and packaging systems are rapidly becoming the weak link in the software lifecycle. This talk provides an accessible overview of two CNCF projects (Notary and TUF), that provide what has been roundly described as the most secure mechanism for distributing software. Notary, which implements the TUF specification, signs and transparently validates metadata to enable the system to recover from the compromise of servers, theft of keys, insider attacks, etc. Notary / TUF are surprisingly easy to use and used to provide cutting edge security not only across major cloud companies, but a diverse set of adopters, including automobiles. WARNING- Attending this talk may cause (justifiable) fear in the software update mechanism on your devices!
Software distribution and packaging systems are rapidly becoming the weak link in the software lifecycle. This talk provides an accessible overview of two CNCF projects (Notary and TUF), that provide what has been roundly described as the most secure mechanism for distributing software. Notary, which implements the TUF specification, signs and transparently validates metadata to enable the system to recover from the compromise of servers, theft of keys, insider attacks, etc. Notary / TUF are surprisingly easy to use and used to provide cutting edge security not only across major cloud companies, but a diverse set of adopters, including automobiles. WARNING- Attending this talk may cause (justifiable) fear in the software update mechanism on your devices!
The Notary v2 project is a rework of the infrastructure for container signing, supporting additional OCI Artifacts, such as Helm, Singularity and CNAB. It addresses the design and usability issues that have been found with Notary v1, and signing in a multi-registry world. The major focus being signatures as first class elements of registries rather than running a sidecar database. It addresses the signing usability issues enabling broad provider and customer adoption. This session will give an overview of the Notary v2 community project at present, and the roadmap. This session is for anyone interested in container signing and what the new project is working on.
The Notary v2 project is a rework of the infrastructure for container signing, supporting additional OCI Artifacts, such as Helm, Singularity and CNAB, and fixing usability and other issues. This session examines the current state of the project, discussing the design decisions as they relate to the target scenarios. This session is a working session to engage face to face discussions for all participants.
The Notary v2 project was launched at Kubecon North America in 2019, as a joint community effort to resolve issues with the first generation Notary, which was launched five years ago. Since then we have learned a lot about how containers are used in practise and the security requirements, and Notary v2 builds on that experience from the whole community. The protocols are OCI registry native and designed to improve the supply chain security of the whole container ecosystem. This talk gives an overview of the progress, and the problems being solved, and then a deep dive into the state of the specification and implementations. We also cover current open issues and the road to production.
Notary v2 is a community project to solve the issues that the existing Notary project has that have hindered widespread adoption. The project is a community initiative with the main registry operators, including Docker, Microsoft and Amazon, as well as a broad community of other interested parties and end users. This talk will cover an overview of the project status and cover the open issues and current working areas for the project, around formats and standardisation, open security issues and future work.
Notary v2 is a community project to solve the issues that the existing Notary project has that have hindered widespread adoption. The project is a community initiative with the main registry operators, including Docker, Microsoft and Amazon, as well as a broad community of other interested parties and end users. We will provide an overview of the state of the Notary v2 project to build registry native supply chain security for containers, and will show how it fits in with other supply chain initiatives that are being worked on. We will outline the road to production for Notary v2, and remaining work to do.
This talk gives an overview of the status of the Notary project, and the Notary v2 work, and the context in the broader ecosystem. Supply chain security is becoming increasingly critical and its importance has been recognised, but the ecosystem of tools around this is confusing. So this talk will cover the context of the key ideas, including the TUF and in-toto projects and how they relate to the security outcomes people want to achieve.
As supply chain security becomes a larger concern for all types of organization, the tooling for supply chain security becomes critical. The Notary v2 project was set up to address issues with the original v1 project that did not see widespread use, and to gather consensus on the types of security mechanisms that were needed. This talk will show the progress we have made, and go through the decisions we made so far, as we are going into early production use. We will look at the future roadmap and the supply chain landscape.
Notary, used to secure container image updates, is the most widely adopted implementation of the TUF protocol. However, since Notary’s design around Docker Hub in 2015, container registries have proliferated and some of the design decisions don’t support the needs of a multi-registry world. This talk looks at redesigning the model to allow portability of container images between registries with signature data stored alongside the image data allowing it to be pushed and pulled alongside the image. This reworking of Notary will enable easier portability of images, and improve supply chain security by enabling mirrors and users of mirrors to validate image data, allowing users to easily work with cloud and local registries, offline caches and other common architectures.
Software distribution and packaging systems are rapidly becoming the weak link in the software lifecycle. This talk provides an accessible overview of two CNCF projects (Notary and TUF), that provide a secure (compromise resilient) mechanism for distributing software. Notary, which implements the TUF specification, signs and transparently validates metadata to enable the system to recover from the compromise of servers, theft of keys, insider attacks, Notary / TUF are surprisingly easy to use and are deployed not only across major cloud companies, but a diverse set of adopters, including automobiles. WARNING- Attending this talk may cause (justifiable) fear in the software update mechanism on your devices!