Clients disagree on what to do with keyids without matching key #144
Description
If a role in a repository contains a keyid that does not have a matching key in the same metadata, our embedded clients currently disagree what to do:
-
go-tuf refresh fails with:
Error: failed to refresh trusted metadata: value error: key with ID 41898f69a6e541a5696793230a1036c76acd0b83e48405821a5c0e061b263c28 not found in snapshot keyids
-
python-tuf succeeds (I believe because this keyid is not used in signatures so not needed for threshold verification, the relevant key is never looked up).
Both decisions seem reasonable but it would be better if there was consensus. this is from #86.