change how we mark the default key, and make sure clients trust keys

proposals/1946-secure_server-side_storage.md

@@ -48,11 +48,17 @@ A key with ID `abcdefg` is stored in `m.secret_storage.key.abcdefg`
 }
 ```
 
-If a key has the `name` property set to `m.default`, then this key is treated as
+A key can be marked as the "default" key by setting the user's account_data
-the default key for the account.  The default key is the one that all secrets
+with event type `m.secret_storage.default_key` to the ID of the key.  The
-will be encrypted with, and that clients will try to use to decrypt data with,
+default key will be used to encrypet all secrets that the user would expect to
-unless the user specifies otherwise.  Only one key can be marked as the default
+be available on all their clients.  Unless the user specifies otherwise,
-at a time.
+clients will try to use the default key to decrypt secrets.
+
+Clients MUST ensure that the key is trusted before using it to encrypt secrets.
+One way to do that is to have the client that creates the key sign the key
+description (as signed JSON) using the user's master cross-signing key.
+Another way to do that is to prompt the user to enter the passphrase and ensure
+that the generated private key correponds to the public key.
 
 #### Secret storage