Witness policy parser uses mismatched key format

[florolf]

The implementation of the witness policy parser refers to the sigsum specification explicitly, but requires the use of vkeys for witnesses instead of the bare hex-encoded pubkeys described in the specification.

This makes both implementations mutually incompatible. It's not clear yet what the way forward should be if people think it makes sense to converge on one central spec (e.g. in C2SP), I just wanted to create an issue to track this discrepancy.

Random thoughts:

• For the various implementations this incompatibility doesn't really matter all that much right now (other than being a little confusing for people who are familiar with another flavor already)
• We could allow the union of both bare keys and vkeys, though this seems unnecessarily complex other than if backwards compatibility is a big concern
• vkeys are the more natural choice in the C2SP world, but are also more complex (e.g. there's theoretically an algorithm extension point, which can be good or bad depending on which philosophy you ascribe to) and there's also some level redundancy between the witness name field and the vkey name.

[AlCutter]

Hi @florolf thanks for adding this to track.

I'm very happy to fork the spec text here if it's causing a problem or confusion; my main goal in linking to it directly was obvious attribution of the work which went into thinking about how to represent the policy graph. It does feel like that part of the spec is generally useful, though, perhaps it could be "factored out" and leave <key> as an implementation defined representation.