Discussion of out of box experience for trust policy

[yizha1]

          @priteshbandi The purpose of the `notation policy init` is to improve the overall out of the box experience (OOBE) of the `notation` CLI. If an advanced customer does not think it is secure, that customer can compose their own policy file and use `notation policy import` to import it.

_Originally posted by @shizhMSFT in https://github.com/notaryproject/notation/pull/568#discussion_r1136444701_

[patrickzheng200]

Just posting the contexts of why we should have a notation policy init command: For a 0-experience starter, find our specs -> find a trust policy template -> learn how to use it -> change it to user wanted values could be a very hard workflow. The learning cost for a fresh beginner is a bit too high.

A candidate as the default trust policy statement:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "policy-by-init-command",
            "registryScopes": ["*"],
            "signatureVerification": {
                "level": "strict"
            },
            "trustStores": ["ca:default"],
            "trustedIdentities": ["*"]
        }
    ]
}

@priteshbandi Do you mind to list your concerns to the above trust policy statement here again? so we can discuss them under this post and find the possible solutions. Thanks.

[patrickzheng200]

An alternative would be notation policy init guiding the user to fill out the trust policy fields one by one in the command line with detailed descriptions of each field. In this way, the user won't need to find a template from our spec by themselves. @yizha1 @shizhMSFT @priteshbandi

[yizha1]

duplicated with issue #653