Questions about min_roles_in_agreement and many to one delegations

[mnm678]

trafficstars

For multi-role delegations can min_roles_in_agreement include multiple instances of the same role? For example, if Targets delegates to Alice and Bob, who both delegate to Charlie, can Charlie's approval count for a min_roles_in_agreement of 2? If Bob also delegates to Daniela, how can he know to also check for her approval?

If Charlie's approval is not sufficient, the resolution of multi-role delegations in TAP 3 will need to keep track of which roles have been applied to min_roles_in_agreement. This will require the DFS to check all roles rather than returning after the first match, which could impact the efficiency of TUF.

This issue came out of a discussion about determining keyids.

[joshuagl]

See related bug in the reference implementation theupdateframework/tuf#920 where adding the same key with a different signature scheme enables a single key to fulfil a threshold of > 1