Improve documentation regarding key sharing to avoid vulnerabilities

[dkasak]

As per https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing, we need to improve the relevant areas of the spec and the E2EE implementation guide in order to help implementations avoid similar vulnerabilities in the future.

At the very least, we should call out the following explicitly:

1. When deciding whether a key requesting device is one of those that the room key was originally shared with, the implementation must check whether the identity (Curve25519) key of the device matches with the one previously recorded. It's not sufficient to check only for a MXID/device ID match.

2. In order to accomplish 1, a device must record the identity key of any recipients each time it shares a room key for the first time.

3. Point out this common pitfall: Device with device ID D gets a room key R shared to it. Then it logs out and some time after that, a new device appears with the same device ID D but a different identity key. The implementation must conclude that this is a different device and refuse to serve key requests for R from that device.

   This follows from 1, but confused enough implementations that it should be spelled out explicitly.