EKM keys refresh: allow removing keys, except when revoked + improve revoked handing

[tomholub]

• if key was removed from EKM, then we also remove it from local storage, UNLESS we already have a revoked version of that key. revoked keys cannot be ever removed from our storage (the app needs to continue to be aware that the key was revoked, so it can reject all future.
• never replace our own revoked key with a newer version of the key from EKM whatsoever

That means, if we ever get a revoked key, no more updates are allowed to that key. The key cannot be removed or updated anymore.