Dear Architecture/Security WG,

There are 2 open security compliance points which needs discussion and conclusion.

1.       JIRA: Support Container Image Manage

Open Point 1: For this AppStore image repository password which is added by administrator from portal, needs to be stored in MECM DB. We would like to know if same needs to be encrypted and stored. If yes, whether the master key to encrypt the same needs encryption too. If yes, whether we should have independent implementation per EdgeGallery module or there should be a common module/library providing this service (something like Vault)?

Open Point 2: Whether the virus scan/ tampering scan should only be carried out by the developer platform image repository (first repository in sequence) or would needs to be done by other module image repository too.

2.       JIRA: Edge Autonomous

Open Point:  Whether MEPM portal needs to perform user authentication/authorization by integrating with User-Management or by some other means. Also if user-management integration is not planned, APPLCM backend needs to skip token based authorization too, will that be fine?

Same is captured in https://gitee.com/edgegallery/community/blob/master/MECM%20PT/Release%20V1.1/MEMC%20V1.1%20Open%20Security%20Points.md. Would like to discuss and get a common conclusion on same.

Thanks and Regards,

Gaurav