notaryproject
Design integration of Trust Stores and Notation Config
The notation client currently supports notation cert add and has a config spec
As we add Trust Stores and policy support, we'll need a design for how these interact.
@SteveLasker , @dtzar - This issue should be in Notation, not in notary project, and I believe we have multiple open issues there to track the UX for configuration of trust store and trust policy. I propose we close this here.
In summary
- The trust store as specified and implemented today with directory structure, does not need configuration for adding/removing certificates for RC-1.
- For signature verification, all the configuration goes inside the Trust policy that refers to trust store
- For signing, configuration has to be done, and lets track it as part of the open issues in Notation repo.
I think what @SteveLasker is getting at is the design spec on how notation cert add interacts with the config / trust stores / policies. I don't see any relevant item to track this specifically. Agree though it should be an item in notation, not in notaryproject.
@dtzar - I was thinking we can use one of the "user story" items you recently created or this one https://github.com/notaryproject/notation/issues/225.
We can talk more tomorrow with some live color commentary from implementers, but my understanding is that for RC-1 we do not need any CLI commands for Trust store or Trust policy
I don't think it needs to be present for RC-1 as long as the usability is reasonable.
I just don't think we should close this item out yet as I don't see it as a duplicate of another item per-se.
The command of notation cert add is now defined here https://github.com/notaryproject/notation/blob/main/specs/commandline/certificate.md, which is using CLI to manage the trust store.
