Incorrect delegation lookups can make go-tuf download the wrong artifact
During the ongoing work on the TUF conformance test suite, we have come across a test that reveals what we believe is a bug in go-tuf with security implications. The bug exists in go-tuf delegation tracing and could result in downloading the wrong artifact. We have come across this issue in the test in this PR: https://github.com/theupdateframework/tuf-conformance/pull/115. The test - test_graph_traversal - sets up a repository with a series of …