Trusted events

[jaipreet-s]

From the JEP, a conversation came up around being able to identify if events came from trusted components. For example, if a system is interested in capturing an audit trail of server activity, an important required would be to validate that these audit events came from a trusted source.

I'm writing down my thoughts on how the telemetry framework could make this easier

1. Provide a set of helper libraries to for publishers to sign events, and for consumers to validate the digest
2. Add fields in the record_event interface to allow event publishers to sign these events.
3. Provide other types of abstractions like a SigningEventConsumer or SigningEventPublisherto allow easier signing of events

cc @westurner @betatim @Zsailer @yuvipanda

[betatim]

I think for the audit use-case a set of guidelines/instructions about what properties a trusted source has to have would be important and helpful to users. For example a source that runs in the frontend or takes inputs (that it can't verify) from a thing that runs in the frontend should not be a trusted source. For a server extension it is less clear, for example what if the jupyter server uses a Python installation that allows users to install modules. Is that trusted or not (a user could probably install some code that modifies the server extension)?

-> having a set of guidelines how to assess if something is a trusted source and best practices for setting one up (where to store keys, where to run the code, etc) would be as important as signing events.