Marina Moore

Thanks @znewman01, this now reflects the latest version of the TAP.

The spec says that "We define three keytypes below: "rsa", "ed25519", and "ecdsa-sha2-nistp256", but adopters can define and use any particular keytype, signing scheme, and cryptographic library." So the spec...

The proposal in the TAP should be specific enough that python-tuf can have a feature to parse the new version metadata from a repository (ie finding the 2.0.0 folder and...

Replying to a comment in [another issue](https://github.com/theupdateframework/python-tuf/pull/2049#issuecomment-1207448368): The real world use case for this client workflow is when the client isn't controlled by the same entity as the repository. This...

As you say there are two reasons for a client to upgrade: a change to the implementation or a change to the spec. The first case (while important), is not...

This may relate to an [Uptane proposal for offline updates](https://github.com/uptane/pures/blob/main/pure2.md)

> Another thing I had not considered before: we may want to provide multiple bootstrap files (targets.json and bins.json as well as root.json). This is not really useful for verifying...

Good question. I think that anything that is included in the `succinct_roles` definition should be changed with `Targets` API calls, like the ones you show above. But something that only...

Per [PEP 458](https://www.python.org/dev/peps/pep-0458/#metadata-expiry-times), root metadata should expire every year, so we'll want this value to be at least the number of years we anticipate clients will go between updating their...

I have started on step 1 in #1014.