W. Trevor King

> Would we want to try an OpenPGP type of decryption of the layer first (assuming the layer is in OpenPGP format) and if this fails fall back to asking...

> The enc.keyid_owner_account would at least reduce the possibility of a key_id collision among different users, though not completely eliminate it (per user) but the key server could refuse two...

@stefanberger, central servers and alternatives seem out of scope here (maybe they would be in-scope for [the distribution spec][1]?). Once you have a set of recipient IDs and payloads encrypted...

> ... because I can see how you distribute the keys for the image being a significant cloud native function, and one that has to comport with all the current...

> What I don't like about it is that it encodes Key IDs in the Public-Key Encrypted Session Key Packets that don't give a hint of who these keys are...

> Updated proposal. Looks like you have stale `enc.algo` and `enc.keyid` references now that the meat is all under `org.opencontainers.image.enc.keys`. Also, as I [mentioned earlier][1], annotation values must be strings,...

On Wed, Feb 14, 2018 at 01:45:24PM +0000, Justin Cormack wrote: > This is kind of weird - I think this should be part of the OCI spec > as...

Would you ever need multiple keyrings of the same type? I can't think of a reason, if it's possible at all. If it's not possible, I recommend using an object...

On Thu, Feb 15, 2018 at 04:56:30PM +0000, Justin Cormack wrote: > I followed what we do for namespaces… I think the namespace structure would have been easier to use...

Travis failure is #945.