if there are mutliple hash algorithms listed for an artifact, must the client verify all of them?
if client only supports some of the algorithms listed, is it ok to only verify those
should the client be able to use metadata that contains hash algorithms it does not support or know about (assuming hashes can be verified using known algorithms)?
Some open questions not defined in spec: