4. DockerCon Europe
Trust today
●
Transport level reliability
– TLS connection between client and daemon
– TLS connection between daemon and registry
●
Namespace enforced by registry
●
Basic authentication
December 5, 2014
5. Future of trust
● Globally federated namespace
● Distributed trust graph
● Public key cryptography
● Public key identity and fingerprint
● Chain of trust
6. Trust Graph
Key A3D8 Key 34F2
dmcgowan vbatts
My client's key Vincent's client's key
Key delegation
Signed by x509
Key delegation
Signed by x509
Grant vbatts “build” my images
Signed by key A3D8
7. Trust tool
● Trust as a tool separate from Docker
● Registers keys
● Creating and listing grants
● Key server specification
● Uses libtrust primitives
8. Demo
Key A3D8 Key 9B83
dmcgowan
My client's key Daemon's key
Key delegation
Signed by x509
Grant dmcgowan “run” access to
daemon
Signed by key 9B83
9. Image Provenance
Image provenance provides a verifiable record of
the origin and contents of an image.
● Self describing signed images
● Content addressable layers
● Digital signature
● Next generation registry
● Docker trust model
● Separation of name and transport
10. Get involved
● Attend trust and distribution bird of a feather
● Look at the proposals
● Look at next-generation registry design
● Provide feedback
11. Reference
● Trust system proposal (docker#9036)
● Authorization server proposal (docker#9081)
● Libtrust TLS (docker#8265)
● Trust tool prototype (libtrust#42)
● Next generation Registry (in the making)