Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With this approach, dovetail generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report. 

Why:

The report in plain-text is vulnerable, can be easily modified during storage and transportation.

...

Users do not need to know or learn any details about this procedure.

How:

The whole authenticating workflow show as following:

1. OPNFV generates the key pairs for each release
2. Dovetail uses this key and hash value of the dovetail tool  to build a binary signature tool
3. Users begin to run the dovetail tool, the dovetail tool will generate the report in memory, and then use the signature tool to check the integrity of dovetail tool, then sign the report
4. Dovetail tool saves the report to a report file
5. Users then can upload report and signature to the reviewer
6. Reviewer can get a public key from OPNFV to extract digest from signature
7. Then reviewer can validate the integrity of the report

Image Removed1. proposal for container security:

Temporary test results in container can be modified as well, we can improve this by following: 

1) the upstream project to do authentication on themselves

2) setup a database, and the database is dedicated for dovetail results, people with no permit can not access the database

3) use the REST API of FUNCTEST/YARDSTICK with SSL to make sure that these results are just existing in secured transportation and saved to db, and then no one can touch them.

 

Image Added

Remark: It is optional to upload the result to remote db. When user want to "dry run" the test, then all results will be stored locally. So it's convenient for users to adjust/modify their platform for a better result.