Policy exchange should be secured

[LourensVeen]

This depends on issue #4, which needs to be completed first.

• [x] Figure out ownership and who is authorised to make which rules
• [x] Global key infrastructure
  • We'll need some way for a party to verify that another party has made a particular rule. Check if we can use HTTPS certificates for this (we'll need those anyway for the REST APIs), or if we'll need a separate key infrastructure. Certificates also have the whole trust chain/anchor thing built in, so that would be very useful. But can you sign random data with them outside of the context of HTTPS?
• [x] Add signatures to rules so we can verify who made them
• [ ] Have PM verify signatures on those rules and that they were made by someone authorised to do so

[LourensVeen]

Eventually, we'll have every party have an X.509 certificate, register those with the central registry, then use them for signing rules as well as securing HTTPS REST APIs from both ends. For now, the central registry stores a public key, which others can use to verify that a rule is valid.

[LourensVeen]

We're verifying the rules now when they are received by our Replica, but PolicyManager doesn't check them on the fly yet. So we're protected from someone intercepting our connection to the ReplicationServer, but we're not protected from someone hacking our local database and inserting rules.