Consider contextualizing signatures

[DavidSchinazi]

From Ilari Liusvaara on the list:

The signatures do not appear to be contextualized in any way, which is questionable. For example, one could use the same contextualization mechanism that TLS 1.3 uses (which prepends 64 spaces, a context label and NUL [one zero octet]).

[martinthomson]

I think that I might disagree with Ilari here for this application. Key separation is probably a better model to employ here, though as soon as someone even hints that they might want to share client certificate keys and these keys then this sort of protection probably makes sense.

[DavidSchinazi]

Briefly mentioned this issue at IETF 116, but did not have time for questions so we asked folks who care to comment on the issue.

[DavidSchinazi]

Thinking about this some more, prepending a fixed string to the nonce before signing it sounds like it would be pretty cheap and would remove a class of issues - I'm inclined to do that. I'll write up a PR.

[DavidSchinazi]

OK wrote up #2574 to address this