Marina Moore

Thanks for the reviews @joshuagl and @trishankatdatadog! I added a couple of commits to address your comments.

> This language is still vague: > > > If a threshold of the keys have been removed in the new trusted root metadata compared to the previous trusted root...

> Do you agree? > > So I think both of you are talking about the same thing? I agree, @trishankatdatadog is this also what you were talking about? I...

> In general, we do assume you can persist metadata. In particular, the snapshot, root, and timestamp are essential. Only the snapshot here will really vary in size as it...

IIRC the current version of the spec does not support TAP3 (multi-role delegations), so this text is probably left over from before that decision, and should be re-added in version...

In Uptane, the targets file size has to be an exact match so that it is the same for the director and image repos (see step 10 in [full verification](https://github.com/uptane/uptane-standard/blob/master/uptane-standard.md#full-verification-full_verification))....

Related to #150 (we should make sure it's fixed there)

I think it makes sense to try all of the hashes before giving up, similar to the behavior of go-tuf. It looks like the [python-tuf ng client](https://github.com/theupdateframework/python-tuf/blob/develop/tuf/ngclient/updater.py#L268) only uses the...

Validating root metadata before snapshoting, as mentioned in theupdateframework/go-tuf#292

This is a good catch, and certainly something that we should clarify. I agree with @trishankatdatadog. We want to avoid visiting the same node multiple times so that roles don't...