Complete threat analysis

[msporny]

We need to complete a full STRIDE threat analysis on the HTTP Signatures specification and write up the findings in a separate document. We probably want to publish this as another IETF draft, as security analysis can lead to reams and reams of words written and we don't want to give people the mistaken impression that HTTP Signatures are complicated by expanding it into an 80 page document, where 70 of those pages are threat analysis.

We should write a Security Considerations section, following all the attack vectors outlined in RFC 3552.

We may also want to consider the guidance given in RFC 4104.

We will also want to use terminology from RFC 4949.

/cc @mcavage