Start security audit for Notary

[FeynmanZhou]

According to the CNCF TOC’s suggestion, Notary is requested to undergo a security audit targeting the Notary v2/Notation work, including Notation, Notation-go, and Notation-core-go repositories. I have submitted a ticket on behalf of the Notary community to request a security audit for the Notary subprojects. Ref https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1580

@caniszczyk connected OSTIF team with us. OSTIF will bring a security audit introduction to us in a meeting on Feb 20. This issue is to track what we need to prepare for the OSTIF security audit.

[toddysm]

@FeynmanZhou we should start creating a threat model for Notary that we can use for the discussions with OSTIF. I've used https://github.com/OWASP/threat-dragon in the past for threat modeling. I would suggest that we create a preliminary model before the meeting with OSTIF.

[toddysm]

I believe this is also related to https://github.com/notaryproject/notation/issues/409. We should consolidate on single place to file issues, else it is becoming confusing and randomizing.

@yizha1 @FeynmanZhou @iamsamirzon @vaninrao10

[mattfarina]

I'm not sure how far along y'all are in the planning process but, we would like to see the design evaluated as part of this audit.