spec: For security of authentication, an image needs to sign deprecated parents

[alexanderkjeldaas]

Signatures on an image is in itself not enough to verify that an image is proper. Signatures do not defend against downgrade attacks.

However, embedding a "parent pointer", like in a git commit, and then signing the result makes it possible to build a DAG where some images, by being pointed to by other images, are deemed to be obsolete or insecure.

The "parent pointers" that are needed in the manifest to do authentication securely, and not have downgrade attacks, are "deprecates: [list of images]".

[philips]

@alexanderkjeldaas I think this is a good idea to explore. Would you mind writing up some example use cases and perhaps a patch to the SPEC.md?