test root key rotation when threshold of keys rotate

[jku]

I'm not sure if this works currently:

• root signers remain the same
• but their keys (ubikeys) change

in this case we should ask the signers to sign with both old and new keys but I think that might not happen. This does work if the new key is "owned" by a different signer

[jku]

The way this should work is likely:

• when we find out if a signature is needed, create a list of keys that
  • are owned by this user
  • should sign
• when signing, we should ask user to insert specific key (and maybe check that the correct key is inserted)
  • how we describe the correct key to the user is a bit of a problem: keyid is useless
  • securesystemslib does have some support for this: "hsm:2?label=YubiKey+PIV+%2315835999" can be used to load a signer for a specific pkcs label
  • l'm not sure if we want to store the label in the public metadata or just in a client cache (we currently don't store it anywhere): Store signing key details in a signer application cache #66

[jku]

also relevant #50