docs: add CRL Design

[junczhu]

Description

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Add design doc of CRL support and CRL Cache support
Fixes: #1652

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Test A
• Test B

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

[junczhu]

Found similar issue been raised to the markdown link checker: tcort/markdown-link-check#349
Double confirmed that the outlined links are working just fine:

 [✖] https://ratify.dev/docs/troubleshoot/key-management-provider/kmp-tsg#cert_invalid → Status: 0
 [✖] https://ratify.dev/docs/plugins/verifier/notation → Status: 0

[junczhu]

Add referenece of notation-go:
https://github.com/notaryproject/notation-go/pull/458/files
https://github.com/notaryproject/notation-go/pull/462/files

https://github.com/notaryproject/notation-go/pull/462/files#:~:text=func-,TestFileCache,-(t%20*
https://github.com/notaryproject/notation-core-go/pull/214/files#:~:text=func-,TestCertCheckStatus,-(t%20*

[junczhu]

Add CA that supports for testing the feature and all the perf limitations. (need discussion with notation team

[akashsinghal]

@junczhu thanks for the design :). Apologies in advance if some of the questions I have/already left have been discussed already.

Do you happen to know what the typical size of these CRL documents are?
If we go with a file-based approach, are there concerns with concurrent read/write operations? Would be great to understand what you're thinking of in terms of synchronization logic.

On a more general note, have we thought about how this fits in with network isolated workloads? How does OCSP/CRL content fetch work in scenarios like this?

[junczhu]

Add CA that supports for testing the feature and all the perf limitations. (need discussion with notation team

Got the CA suggested by Notation team.
Under testing

[junczhu]

@junczhu thanks for the design :). Apologies in advance if some of the questions I have/already left have been discussed already.

Do you happen to know what the typical size of these CRL documents are? If we go with a file-based approach, are there concerns with concurrent read/write operations? Would be great to understand what you're thinking of in terms of synchronization logic.

On a more general note, have we thought about how this fits in with network isolated workloads? How does OCSP/CRL content fetch work in scenarios like this?

Thank you for the questions!

1. A single CRL can be up to 32MiB. And I am about to resolve concurrent read/write by limited cache/fetch operation within a single process CRLHandler. And if it failed to cache, verifier would download to memory which also can resolve the similar race condition issue we have with oras cache.
2. notation use a fetcher for normal download operation, and in network isolated cases OCSP is not appliable, for CRL we can extend from the basic cache set interface and preload the bundles

[susanshi]

Discussed during community meeting, approved.

[JeyJeyGao]

@junczhu Do we have solution for network isolated workloads as mentioned by @akashsinghal ?

[junczhu]

@junczhu Do we have solution for network isolated workloads as mentioned by @akashsinghal ?

Once the CRL caching enables all the CRL download requests happen in the ratify main process. When CRL downloads from inside the verifier this is another sync in between progress related issue which is still under discussion. This may not be covered by this design.

As discussed with @JeyJeyGao offline, notation-go cache enabled user to write into the cache directly. Ratify is able to extend for network isolated workload cases.

[susanshi]

PR meeting , approved