Security considerations in hsync

* Server-generated signatures

If we let the server use server-generated signatures, then it can
store any opaque data it likes inside them.  This is basically
equivalent to always allowing the server to store cookies on the users
disk, which is a bit undesirable.  

If the server wanted to tell when a particular cache was accessing it,
then it could do so by this means.  Of course, normally it could do
this anyhow, by matching on for example the source address.  We're
only giving something away when we are otherwise taking precautions to
maintain anonymity by turning off cookies and so on.  Still, it would
be a cool way to e.g. match up people's banner impressions when they
have cookies turned off for images.

In fact, you can imagine doing exactly the same thing using
modification dates on a dynamically-generated resource: we just give
the user a fake date whose time_t value uniquely keys the user.
Unless the user agent's cache is flushed or disabled the server can
tell who they are by looking for If-Modified-Since headers.

Cute!