Should we eliminate task-specific HPKE keys?

[inahga]

From discussion in https://isrg.slack.com/archives/C0167LT4C73/p1689871160489639?thread_ts=1689810185.430009&cid=C0167LT4C73.

Since we must implement global HPKE keys for taskprov (or more precisely, task-independent HPKE configuration), we can consider doing away with task-specific HPKE keys entirely.

The main possible benefit is that we don't have to worry about per-task HPKE key rotation. It's more difficult to implement than for global HPKE keys, since we have to manage a set of keys for each discrete task. (Note that we could just never rotate a task HPKE and just let them age out).

Possible drawbacks:

• The subscriber can never be in control over a global key. (i.e. they may want to choose different ciphers, but this could be mitigated by having a wide set of global keys using different ciphers to choose from).
• Could have a large blast radius if a global key is compromised (although in the current architecture, if any report encryption key is leaked it's highly likely they're all compromised).
• Spinning up janus from scratch is slightly more complicated, because the operator has to provision a global key after the database schema is applied.

[inahga]

Superseded by https://github.com/divviup/janus/issues/2147