notation icon indicating copy to clipboard operation
notation copied to clipboard
verified publisher icon notaryproject

Discussion of out of box experience for trust policy

Open yizha1 opened this issue 3 years ago • 3 comments 

          @priteshbandi The purpose of the `notation policy init` is to improve the overall out of the box experience (OOBE) of the `notation` CLI. If an advanced customer does not think it is secure, that customer can compose their own policy file and use `notation policy import` to import it.

Originally posted by @shizhMSFT in https://github.com/notaryproject/notation/pull/568#discussion_r1136444701

yizha1 avatar Mar 15 '23 02:03 yizha1

Just posting the contexts of why we should have a notation policy init command: For a 0-experience starter, find our specs -> find a trust policy template -> learn how to use it -> change it to user wanted values could be a very hard workflow. The learning cost for a fresh beginner is a bit too high.

A candidate as the default trust policy statement:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "policy-by-init-command",
            "registryScopes": ["*"],
            "signatureVerification": {
                "level": "strict"
            },
            "trustStores": ["ca:default"],
            "trustedIdentities": ["*"]
        }
    ]
}

@priteshbandi Do you mind to list your concerns to the above trust policy statement here again? so we can discuss them under this post and find the possible solutions. Thanks.

patrickzheng200 avatar Mar 16 '23 02:03 patrickzheng200

An alternative would be notation policy init guiding the user to fill out the trust policy fields one by one in the command line with detailed descriptions of each field. In this way, the user won't need to find a template from our spec by themselves. @yizha1 @shizhMSFT @priteshbandi

patrickzheng200 avatar Mar 27 '23 06:03 patrickzheng200

duplicated with issue #653

yizha1 avatar Jul 25 '23 08:07 yizha1