define "static" keyrings

[mattsb42-aws]

The "raw" keyrings have a variety of issues that make them less than ideal to use. Unfortunately, these issues cannot be addressed without introducing breaking changes, and those changes are significant enough to warrant an entirely new keyring concept. We have clear customer demand for "keyrings that can operate directly with master key material", so this is worth doing.

For the purposes of this issue, I will refer to this new keyring category as "static" keyrings, but that name MAY change before it is created.

The characteristics that static keyrings MUST have include:

• The serialized provider ID MUST equal the key namespace.
• The serialized provider info MUST equal the key name.
• The EDK ciphertext MUST contain sufficient metadata for the keyring to determine the algorithm/mode/etc needed to decrypt it.
• Every static keyring MUST authenticate the encryption context.
• The static keyring design SHOULD be sufficiently flexible to be adapted to other algorithms beyond AES and RSA in the future.

[seebees]

The Raw AES Keyring uses the message format AAD serialization in the AAD for the wrapping key. This AAD has limits on size and the number of pairs. But for raw or static keyrings I do not see why there should be any such limit on the AAD. This is not a fully flushed out requirement, but I wanted to record this edge case.