Design and implement defenses against the threat of impersonating a user/device

Split off from !1 (merged) as per @jcalderone's suggestion:

**Threat**: impersonate a user

This is a superset of the above threat, more-or-less. Devices which can write to a shared folder also retain a Tahoe write-capability to record their changes (as Snapshots) to files. Anyone gaining knowledge of this capability can forever write updates that appear to be from the device that (legitmately) holds the write-capability. In addition, since Tahoe only allows (but doesn't enforce) a single writer, a malicious actor holding the write-capability could in theory render that device's updates to be inaccessible (corrupted) and future updates impossible. (This design doesn't allow a new device to write, so this threat isn't immediately relevant).

Since this threat isn't immediately relevant, perhaps it doesn't belong in this document? We can capture it in a separate design doc or a ticket for now.