Key rotation: Verifier should support N keys.

[pda]

Currently key rotation is difficult; the verifier needs to start verifying with the new key at the same moment the new key is used by the signer. In a high-traffic environment this can be near impossible without dropping requests.

It should be possible to pass multiple keys to the verifier, so that both old and new keys can be accepted for a period of time. Either N keys, or a static limit of two keys (current and previous) would work.

This could be represented by passing an array of keys per ID; using the first for signing, and using all of them for verification. Or… something else?