TUF-1.0.9 §5.1.2 states: Try downloading version N+1 of the root metadata file, up to some W number of bytes (because the size is unknown). The value for W is set by the authors of the application using TUF. For example, W may be tens of kilobytes. The filename used to download the root metadata file is of the fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file is not available, or we have downloaded more than Y number of root metadata files (because the exact number is as yet unknown), then go to step 5.1.9. The value for Y is set by the authors of the application using TUF. For example, Y may be 2^10. We do not have an upper bound on the number of root metadata we'll fetch. This means that an attacker that's stolen the root keys could cause a client to fall into an infinite loop (but if an attacker has stolen the root keys, the client probably has worse problems to worry about).