With respect to docker trusted registry.
Is it possible to sign images with a CA-cert such that a customer can verify that the image is signed by some delegate of the CA-cert trust chain? It seems like DTR has a binary mode of trust: either and image is signed or it is not, but not qualified by who.
As far as I know, the security model is such that on a per-machine basis, you create a root, taret, timestamp and snapshot keys. Are we able to have these derive from an existing certificate or is this impossible?