The Cloud Native Computing Foundation (CNCF) filled in a missing security component with the inclusion of two new projects under its open source guidance. The CNCF Technical Oversight Committee voted in the security-focused Notary and The Update Framework (TUF) as its latest hosted projects.
While each is considered its own project, the CNCF explained Notary is actually a commercialized version of TUF. Regardless, the organization considers them as its 13th and 14th hosted projects.
TUF was developed initially in 2009 at New York University’s Tandon School of Engineering. It was designed to work as part of a larger software distribution framework to provide resilience to key or server compromises.
Justin Cappos, professor in the computer science and engineering department at New York University and initial author of the open source specification, explained TUF uses cryptographic keys for content singing and verification. TUF works as a secure general design for software distribution and updates.
“TUF is like a protocol or a way of doing something,” Cappos explained. “It’s like having the http protocol for a website, but it helps with the transfer of data.”
Cappos noted the specification has been audited by several security groups, and a variant of the specification has been used by companies in the automotive industry under the Uptane label. It’s also being viewed as a security option for medical, the Internet of Things (IoT), and power grid implementations.
Contributors to the specification include CoreOS, OCaml, Python, Rust, Tor, and Docker Inc. It’s used in production environments by Docker Inc., Leap, App Container, Flynn, OTAInfo, ATS Solutions, and VMware.
Docker Inc.’s dabbling with TUF led to the creation of Notary in 2015. David Lawrence, senior software engineer at Docker Inc., explained the company initially used Notary to secure container image updates.
The platform allows for the creation, management, and distribution of the metadata needed to ensure the security of user content. It provides a client and a pair of server applications to host signed metadata and perform limited online signing functions.
Lawrence said the “holistic” nature of TUF’s development made it a great option for Docker Inc. as it was looking to find a security angle for container image uploading.
“If you tack on an organic patch, it’s rare that they solve the real problem without causing new ones,” Lawrence said. “This is holistic and built from the ground up as a secure signing system. This is a real paradigm shift to building better tools.”
Lawrence added that with Notary being built on a similar language as other CNCF projects like Kubernetes, it’s possible for easier integration with other projects.
Notary is used in the Docker container platform for Content Trust and for trust subcommands; by Quay as a library; by CloudFlare as part of its PAL tool for container identity; and by LinuxKit to distribute its kernels and system packages.
By bringing Notary into CNCF, Lawrence said Docker Inc. is looking to garner further reviews on the robustness of the platform.
“We have had audits done and some integrators have also had audits done, but it’s always better to have more eyes on a project,” Lawrence said, adding this will allow for prioritization of updates and features.
Chris Aniszczyk, COO of CNCF, said the organization is looking forward to bringing on a security component with a focus on the container ecosystem. It also allows CNCF and its other projects to participate in the evolution of the specification.
CNCF membership should also bring more attention to Notary and TUF, with Aniszczyk admitting he hadn’t even heard about TUF prior to the recent work on integrating it into CNCF.
“There is definitely some cache in being part of CNCF,” Cappos admitted. “We think this will help to get it more quickly out into the community…The more we can improve and strengthen the solution is really key.”
Notary and TUF join the dozen other projects hosted within CNCF. Those include Kubernetes for container orchestration; Prometheus for monitoring; Open Tracing for application flow monitoring; Fluentd for logging; Linkerd for service mesh; gRPC for remote procedure calls; CoreDNS for service discovery; Containerd and Rkt for container runtimes; CNI for container native networking; Envoy for edge and service proxy; and Jaeger for distributed tracing.