TPA-RFC-18: adopt a new TPA security policy

As part of the tails merge, we want to adopt a common security policy. Considering we don't have a formal security policy in tor at all (tpo/team#41), perhaps the simplest would be to just adopt the Tails security policy directly.

There are many questions to answer here, however. First is compliance of TPA to "level B" of the security policy, which should perhaps be checked individually with all current TPA members. But then, if we adopt this policy, perhaps we need to actually make it public like our other policies, something which tails folks might not feel comfortable with. If not, then we need to figure out how to have secret policies.

We also need to figure out if we adopt the compliance framework and other policies they have out there (like the "Data Storage and Retention Policy") and whether tails want to do some changes to their policy before it reaches wider adoption.

This ticket, in any case, is secret because the merge is still a secret anyways...

In any case, here's a draft checklist:

• check compliance of TPA members to Tail's security policy, level B (which includes level A), a copy of those policies was sent to tpa-team@ for review
  • @anarcat
  • @hiro
  • @lavamind
  • @lelutin
  • @linus
  • @weasel
• check if tails needs to make changes before wider adoption (@groente @zen )
• review (@anarcat) and decide if we need to adopt the Data Storage and Retention Policy (@anarcat @groente @zen)
• decide on the compliance strategy (currently, tails does a "compliance check" but it's marked as "broken for years" so perhaps it's not the best thing to import?)
• decide if the policy can be made public (@anarcat @groente @zen others?) if so, it should be documented in the wiki. either way, we use TPA-RFC-18 as a tracking number for this work. (it can, but not divulging the tails merge)
• determine if we need to adopt a emergency rotation checklist... we do have a mass rotation procedure for the password manager, but not much above that.