Add a signing-key pinning mechanism to the federation key APIs (SPEC-329)

[matrixbot]

Add a way for home-server operators to promise in the /key responses that they won't lose the private keys for their HS.

Then other HSes that have observed that key won't accept a different key for that domain, giving stronger guarantees against MITM attacks.

Something like https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

(Imported from https://matrix.org/jira/browse/SPEC-329)

(Reported by @NegativeMjark)

[matrixbot]

Jira watchers: @NegativeMjark

[richvdh]

Is this superceded?

[richvdh]

I don't think it is superceded; it is an idea that might help with https://github.com/matrix-org/matrix-spec/issues/234.