Add scenario 12 for chaining from a trusted key (#96)

* Add scenario 12 for chaining from a trusted key * Combine implications and use registry terminology * Update scenarios.md Co-authored-by: Brandon Mitchell <git@bmitch.net> Signed-off-by: Marina Moore <mnm678@gmail.com>
notaryproject · Aug 23, 2021 · 2a15760 · 2a15760
1 parent ea93252
commit 2a15760
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/scenarios.md b/scenarios.md
@@ -275,6 +275,18 @@ A signer determines that a signed artifact is no longer trusted. This could be a
 1. Attackers attempting to replay revoked signatures should be detected by the verification.
 1. Revoking the signature for a single artifact should not require revoking the signer's key or signatures for all other artifacts by the same signer.
 
+### Scenario #12: Chaining from a trusted key
+
+If a user does not have a specific key for a given artifact, verified using a third party system, they will need to determine the trusted signing key(s) for an artifact by chaining from a trusted key.
+
+1. The user determines the trusted key(s) for a specific artifact using delegations from a trusted root.
+1. The user downloads and verifies an artifact using Notary v2 and the trusted key(s) discovered in the previous step.
+
+**Implications of this requirement**
+
+1. Users must be able to to access a chain of trust that links the signing key for a particular artifact to a trusted root.
+1. Users must be able to configure roots of trust.
+
 ## Open Discussions
 
 * What is the relationship between a signature, an artifact and a registry?