Create a key rotation process

Key rotation of the Lox secret keys will need to happen once in a while to avoid credential id collisions. It's unclear at the moment exactly how this should be done. To avoid adding breaking changes to the API once Lox has been rolled out, it would be ideal to have a plan in place for key rotations and adjust the API appropriately prior to the official release. A viable key rotation process should handle the following:

• All issued credentials should be able to be successfully redeemed up until the credential expires.
• After keys have been rotated, a credential issued with an old key should be considered valid (as long as the credential itself is valid) and should be redeemable for a credential issued with the new key.

There may be additional considerations I haven't thought of. See discussion here.