Update to the design of the Master Key Migration project

[Ken Raeburn]

I'd like to see one (or more) test cases added -- something to verify  
that the various means of setting a new key (kpasswd, kadmin commands  
like cpw or xst, as well as the new/modified commands) when applied to  
the master key principal will either be rejected without changing the  
database or retain all the old keys, even if that list is larger than  
the normal key history size.  That is, make sure the normal key  
history mechanisms won't accidentally throw away some of our still- 
used master keys.

Ken