This patch elaborates the node security design wrt to SSH
key handling to make sure it is feasible before starting
the implementation.
In this updated design the first and more simple proposal
of simply removing the private root key from normal nodes
was abandoned, because the implementation of various
node operations (adding/removing, promoting/demoting)
turned out to contain too many security problems so that
the second proposal, where each node get's a separate
key pair was chosen to be implemented.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>