Stefan Berger

@wking To resume this discussion. I integrated vTPM (with IMA namespacing) into Docker-CE 17.12. As part of that I found it to be necessary to support the following runtime spec...

> _house keeping:_ > TPMs seem like a fine thing to support, but this conversation died off. @stefanberger perhaps a fresh PR would be useful, and [#920 (comment)](https://github.com/opencontainers/runtime-spec/pull/920#issuecomment-328660319) asked if...

The update I pushed today adds all those fields that are needed to support the vTPM features implemented in runc PR https://github.com/opencontainers/runc/pull/1591

@wking > Another approach to key distribution would be to encrypt to multiple public keys. For example, OpenPGP encrypts the payload with a random symmetric key, and then encrypts that...

I suppose the next question is how to implement this and what command line parameters to pass. I suppose `docker commit` should be instrumented to support this first. `docker build`...

Do we want to tie this in with `gpg` in some way or manage recipients in some way ourselves?

The pgp public key server may come in handy...

PGP seems to have its own message format. Section 5.1 (https://tools.ietf.org/html/rfc4880#section-5) describes the support for multiple recpients: ``` 5.1. Public-Key Encrypted Session Key Packets (Tag 1) A Public-Key Encrypted Session...

@wking The `enc.keyid_owner_account` would at least reduce the possibility of a key_id collision among different users, though not completely eliminate it (per user) but the key server could refuse two...

@wking Ok, so we can get rid of the account name if the keyid is sufficiently long to be unique and the central server, that would presumably somehow notify the...