Distribution: Registries using token authentication should be able to verify authenticity with just the public key
Based on some investigation I did (described in more detail in https://github.com/docker/distribution/issues/1143#issuecomment-288247071), I discovered that a pem-formatted rootcertbundle is required to start the registry with token authentication (I didn't see the PEM format requirement of this file documented anywhere)
Since a registry using token authentication never does any signing of its own, and a public key is sufficient to verify the token signature, I'm wondering why it's necessary to provide the certificate at all. If the full cert bundle is in fact unnecessary, I believe it would be more secure to just provide the public key. Otherwise, some documentation explaining why just the public key is insufficient would be helpful.
HartS
All 3 comments
I discovered that a pem-formatted rootcertbundle is required to start the registry with token authentication (I didn't see the PEM format requirement of this file documented anywhere)
We should document this. Using PEM encoded x509 certificates is pretty standard but that should be explicitly called out.
Since a registry using token authentication never does any signing of its own, and a public key is sufficient to verify the token signature, I'm wondering why it's necessary to provide the certificate at all.
Certificates are just for defining which public keys to trust, not sure I follow the logic of how not signing is relevant to how the public key is specified.
If the full cert bundle is in fact unnecessary, I believe it would be more secure to just provide the public key.
Please justify this statement, in what way does a certificate chain decrease security for specifying a key to trust? If you don't have a CA already to manage these keys, then it is OK to create a self signed CA for specifying the public key. At no point should the signing key be used to sign a certificate here. Generating a new throw away key for a CA and signing a certificate with your public key accomplishes the same thing as specifying public key, but it does it in a standard way that encourages better key management. I will agree with you that we are missing documentation and likely a set of instructions for using openssl to generate these self signed bundles.
dmcgowan
on 22 Mar 2017
I was getting the roles of the private key and certificate confused here, please disregard anything I suggested about security :man_facepalming: and thanks for noting the potential for documentation improvement.
HartS
on 22 Mar 2017
So what is the correct way to generate rootcertbundle for v2 registry. Still struggling with:
ci_registry.1.xhi9871omxwj@moby | time="2017-07-06T11:21:30Z" level=info msg="token signed by untrusted key with ID: \"F3Z7:D7RR:NJ5G:XCCE:XCDB:2RUI:PG3Q:WQYS:ECRN:JCR2:6VUE:PSY5\""
nohaapav
on 6 Jul 2017
Related issues
juanjoDiaz
路
4Comments
luke-park
路
5Comments
jascodes
路
5Comments
jean-christophe-manciot
路
4Comments
Duoxilian
路
3Comments
Most helpful comment
So what is the correct way to generate rootcertbundle for v2 registry. Still struggling with:
ci_registry.1.xhi9871omxwj@moby | time="2017-07-06T11:21:30Z" level=info msg="token signed by untrusted key with ID: \"F3Z7:D7RR:NJ5G:XCCE:XCDB:2RUI:PG3Q:WQYS:ECRN:JCR2:6VUE:PSY5\""