Consider validator node key revocation

[AaronFeickert]

Currently, there is no way to signal the compromise of a validator node signing key.

One approach under discussion is to have registration specify the public key of a "revocation key" whose signing key can be more tightly controlled. If the validator node's signing key is compromised, it can revoke it using the revocation key and specify a new signing key.

There's a lot of subtle logic to be specified about how this protocol would work.