Marina Moore

While writing a revision to the tap, I found a couple of additional interesting points. First: What should the rotate file be named? The filename was previously defined as role.rotate.ID,...

Role names: The TUF spec does not specifically forbid roles with the same role name, but in practice it would not work as the role's metadata file is named rolename.json....

@hannesm @JustinCappos Clarifying key revocation: I have a few thoughts about the role name discussion. Specifically how to ensure a key revocation is always seen by the client, and how...

@JustinCappos One potential problem with this proposal is the roles defined in the TUF spec (timestamp, snapshot, etc). These roles can't be delegated to new rolenames in the case of...

> * Can we make it more clear in the object format that a delegations object needs _either_ `name` or `succinct_hash_delegations`, and `path_hash_prefixes` is optional. If the delegations object includes...

The discussion in theupdateframework/specification#156 may be relevant for finding a clear way to state the various options for required fields in this TAP.

> Some quick questions: > > 1. Is there a reason to do non-succinct hash delegation? non-succinct hash delegations provide more flexibility (to define bin sizes, different keys for different...

@trishankatdatadog we could achieve that by separating roles from delegations as follows (I named the delegations "mappings" as this is all in a field called "delegations". We could rethink the...

As long as the implementations are compatible, they should be able to share a POUF number. We should update POUF-1 accordingly.

> Ok, but where do we list POUFs? Shouldn't we list it in a README? Good question. We should probably add a readme to this directory.