what should clients do with multiple hash algos

[jku]

Some open questions not defined in spec:

• if there are mutliple hash algorithms listed for an artifact, must the client verify all of them?
• if client only supports some of the algorithms listed, is it ok to only verify those
• should the client be able to use metadata that contains hash algorithms it does not support or know about (assuming hashes can be verified using known algorithms)?