Consider the use of challengePassword for signature keys without EDHOC

[malishav]

Related to #9.

@gselander:

So, at least for static DH, challenge password is not needed. Therefore optionality is good. Then we should think through the case when the csr is signed with a signature key not used in EDHOC, maybe we need a recommendation in that case.

[malishav]

As a reminder, use of challengePassword in the specification is OPTIONAL and left up to the application profile:

How challengePassword is generated is outside of the scope of this specification and can be specified by an application profile.

The proposal is to update the text in order to mention the case of CSR signed with a key different from the one used in EDHOC, but to leave the optionality and the exact specification to the application profile.

The alternative is to define the use of EDHOC_Exporter interface which would populate the challengePassword field.