Allow appliance to enforce notary requirements

[hickeng]

Story As a security engineer I want a VCH to enforce the restrictions described by a notarized deployment for a set of images.

Details With the regular docker model the notary validation is performed by the docker CLI client - this makes sense as if deploying to a large scale set of docker hosts/swarm there's likely to be a variety of different requirements, and it's up to the person deploying the application/images to know which notarized variant they require.

However with a VCH it's a tenancy boundry as much as a container host, and as such should be enforcing correct behaviour as enshrined in it's configuration. It should not impose that burden or the requisite knowledge burden on the user.

Acceptance

• [ ] VCH uses configured notary services to vet images being pulled.
• [ ] VCH configured with notary cannot be used to pull unsigned images without explicit weakened config
• [ ] VCH configured with notary does not allow mix/match versions of images to be added to the same scope, or linked (freshness checking).

[hickeng]

high priority inherited from notary PRD planning.

[mhagen-vmware]

moving this back to medium based on our discussion yesterday of features not getting high priority tags.

[hickeng]

Bumped estimate as this still needs decomposing and the actually approach/detail requirements being settled.