Is multi-role delegation in 1.0.0 or not?

[trishankatdatadog]

In the current version of the spec, we say:

5.5.6.2.1. If the current delegation is a multi-role delegation, recursively visit each role, and check that each has signed exactly the same non-custom metadata (i.e., length and hashes) about the target (or the lack of any such metadata).

But nowhere else do we actually define how to specify multi-role delegations. Did we: (1) forget to specify how multi-role delegations are listed (since they are backwards-incompatible), or (2) did we agree not to release them as part of 1.0.0, and this is leftover text intended for 2.0.0?

[mnm678]

IIRC the current version of the spec does not support TAP3 (multi-role delegations), so this text is probably left over from before that decision, and should be re-added in version 2.x.x. See discussion in #93

[trishankatdatadog]

Thanks for checking, Marina. Too bad we missed this piece of text back then, but better late than never.

[lukpueh]

As a reminder, I pointed out the stray nature of this piece of text a year ago (see #57 (comment)), when we decided that TAP 3 should not be part of 1.0.0, given that apart from that text and the claim that the spec adhered to TAP 3 there was no mention of it.

We also discussed this in the course of a community meeting (see meeting notes about "Versioning") and I removed the corresponding claim in #93 before tagging 1.0.0. It looks like back then we did not not find it necessary to remove said piece of text in the client workflow. Maybe because it does not necessarily make the spec inconsistent? But I agree it is quite surprising to talk about multi-role delegations out of nowhere.

So I'm not against removing it now, we just have to be careful when propagating the changes back into the draft branch, because it already contains a full adoption of TAP 3 (#57), with a slightly modified version of that text, which in itself is not fully TAP 3 compliant (see b46dc5e).

[trishankatdatadog]

Concur @lukpueh