Small order elements in EdDSA

[twiss]

The current draft mandates checking for small order elements in X25519 and X448, but not yet in Ed25519 and Ed448. We should probably add this, as per tQsW/webcrypto-curve25519#5, mozilla/standards-positions#271 (comment) and mozilla/standards-positions#271 (comment). I'll try to come up with some text for that.

Another, somewhat orthogonal question, is whether we want to check for this during key import already, rather than during signature verification and key derivation, respectively. This would involve checking the public key against a hardcoded list of known values and rejecting it if it matches. For EdDSA, this would be necessary, anyway - but for key derivation it's slightly more complicated than just checking the derived key. We could add the list of public keys to an appendix of the spec, though, to make this easier to implement.