Security issues

[rdinicut]

1. The identity contract can proxy to it's own address. A user can be tricked to add its identity contract as a management key and in that case any action key can be a management key.
   We should enforce that a management key can not be self
2. A management key can revoke all other management keys, which means that an identity contract can be in a state where keys can not be added or revoked anymore. There should always be at leas one unrevoked management key?
3. revokedAt is just a flag and it's not enforced on chain. The contract should allow any state change on revoked keys