TAP 19: should discuss privacy

[jku]

While I was readin up on passim (a mDNS based content addressable storage) I noticed that their main use case fwupd does not use passim for artifact downloads because of privacy reasons: They don't want the other download "source" (which is potentially untrusted) to know which firmware files get downloaded.

I think TAP 19 should discuss the privacy implications as well: I think they exist in some form for all content addressable storage where the participants are not completely trusted (in comparison to traditional TUF where the privacy leak happens only to the relatively more trusted TUF artifact repository).

[joshuagl]

Here's a blog post introducing Passim.

cc @adityasaky as the submitter of TAP 19.