Secure software distribution is a hard problem. A testament to this fact are the thousands of different software update systems in use today, most of which vulnerable to a myriad of attacks that leave the end users potentially vulnerable to compromise.
One of the major flaws of the existing systems is their inadequate trust revocation mechanisms, providing little to no defense against is key compromise. As a result, key compromises have put millions of software update clients at risk.
Enter Notary, an application built at Docker that aims to make the internet more secure by making it easy for people to publish and verify content. Notary follows a flexible security framework called TUF (The Update Framework), allowing publishers to sign their content offline and manage their keys securely.
In this talk I will go over Notary, its security guarantees, TUF and how we've integrated it into Docker, providing the ecosystem with a secure software distribution mechanism out of the box.
Diogo Mónica is the Security Lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team. He received his BSc and MSc degrees in Communication Networks Engineering and is currently a Security Researcher at the distributed systems group. Diogo also serves on the board of advisors of several security startups and is a long-time IEEE Volunteer.
