Red October's basic access control mechanism should be monotone

[jkroll-cf]

Currently, if you delegate and specify users who can decrypt, Red October will only allow those users to make successful decryptions for secrets in the bailiwick of the delegation. However, if you specify an empty users string, Red October abdicates any checking of the user calling decrypt. This nonlinear behavior is not expected, and should be fixed. The ability for anyone to decrypt should be preserved as its own option and should be controlled by metadata on delegation state instead of by overloading the users list.