Reject 4S key sharing requests after timeout

[jryans]

When verifying a new device, we use 4S key sharing requests behind the scenes to share various account-level private keys, such as your cross-signing private key and others, so that the new device can perform all the same security functions as the existing device used to verify it.

At the moment, these key sharing requests from a verified device are always accepted, even if the verification process happened a long time ago.

As an additional security measure, after N seconds have passed since a device was verified, we should silently reject 4S key sharing requests from it.

(The value of N is still up for discussion.)

[kittykat]

"If the issue is targeting the „verify session notification“: this one gets closed after verification.
Not sure what it is really about"

I'm going to close this issue for now, please reopen if the above is not the case 👍

[jryans]

This issue is more about a potential security improvement that was planned for cross-signing but not yet implemented. I have rewritten the issue body with more context. The Crypto team should take a look at this and evaluate whether it's something they want to take on.