Signer payload fixes

[paulengland]

This is a partial/incomplete description of the security fixes identified in https://github.com/creator-assertions/identity-assertion/issues/95

These changes will need corresponding changes elsewhere in the spec, especially in the validation section, but this will be added once we have settled on the changes here.

[github-actions[bot]]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[paulengland]

I have read the CLA Document and I hereby sign the CLA

[scouten-adobe]

I think there are three distinct suggestions being made in this PR. I'd like to separate them out and discuss separately if possible:

1. Editorial changes in the overview section. I've pull those out into a new PR #102, which contains some of the wording changes from this PR, but none of the semantic changes. I'm hoping that can be easily reviewed and approved tomorrow.
2. The discussion about sig_type being part of the signer_payload. I'll queue up an agenda item on this. To be honest, I haven't yet understood the potential threat model here, but I am hopeful that we can discuss and resolve tomorrow. If we agree to make that change, I'll offer a new PR after tomorrow's meeting.
3. The control that the credential holder in this case is seeking over the construction of the surrounding C2PA Manifest. @lrosenthol has major concerns about this and will be unable to join us tomorrow. We can start a discussion (and I have a possible alternative that I'm contemplating), but we will need to wait until we can include him in the discussion before we can come to resolution on this part.

[scouten-adobe]

Closed in favor of #103, which was merged today.