CNCF Brings In Notary, The Update Framework to Boost Container Security

The Cloud Native Computing Foundation adds a pair of open-source security efforts to its project roster, providing cryptographically verifiable software integrity.

The Update Framework

The Cloud Native Computing Foundation on Oct. 24 announced that it is expanding its project roster with the addition of the Notary container trust project and The Update Framework security effort.

The Notary project was originally developed by Docker and provides a content signing framework to help verify the cryptographic integrity of a container application image. Notary makes use of The Update Framework (TUF), which is a specification for enabling secure software updates.

The new additions are the CNCF's 13th and 14th projects since its creation in July 2015. The open-source Kubernetes container orchestration project was its first hosted project. The two new projects follow the CNCF's Sept. 13 announcement adding the Envoy and Jaeger projects.

"Notary is a content signing framework implementing the TUF specification in the Go language," the CNCF project proposal states. "The project provides both a client, and a pair of server applications to host signed metadata and perform limited online signing functions. It is the de facto image signing framework in use by Docker, Quay, VMware, and others."

The need to secure container virtualization with some form of digital integrity is an idea that Docker creator Solomon Hykes first discussed with eWEEK in a 2014 video. The open-source Notary project became integrated with the Docker 1.8 .0 release in August 2015 under the feature name Docker Content Trust. Notary relies on TUF, which is a software development and update model that was described in detail by co-creator Justin Cappos, an assistant professor at New York University, at the DockerCon 17 conference in April.

"If you have the green HTTPS padlock in your browser, it tells you the browser has a secure connection to a server," Cappos said. "It doesn't say anything about whether the server has a valid update or know what the correct update is and whether the server itself has been compromised."

Docker first proposed the donation of Notary at the CNCF Technical Oversight Committee meeting on June 20. At the same meeting, Cappos proposed that TUF become a CNCF project as well. The addition of Notary and TUF to the CNCF project roster, however, only came after months of discussion and debate on GitHub as well as various mailing lists.

There are multiple requirements a project must meet for acceptance into the CNCF. Among the most important is alignment with the CNCF's mission of enabling cloud computing to expand.

"Notary is the most secure and widely adopted implementation of The Update Framework to date and represents a critical building block for ensuring the provenance and integrity of data in the field of cloud native computing," the proposal states. "We want the TUF specification to be accepted into CNCF because it will make a clear statement of the importance and expectations the community must have for the security of their software distribution channels."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.