Change transaction signature verification algorithm: 1) disallow "substitution" of key roles and 2) allow transactions with mixed roles

• 1. I think we should eliminate the "key substitution" ability (e.g. via a hardfork). I've always thought it was a bad idea from a security perspective and I've wanted to change this for a long time, just been to busy with other issues. For example, owner keys should only be used when absolutely needed for their intended purpose: to change keys. Allowing them to be used to sign other types of transactions increases the chance they will be used more often, which increases the chances they will be leaked. The proper sequence if a user is missing an active key should always be to use their owner key to change the active key to one they have, then use the active key to sign "regular" active operations. Also, preventing of signing with higher level "risky" keys will also tell the user that a transaction containing multiple operations that is signed with a risky key MUST have a more risky operation embedded in it.

• 2. On a related note, I strongly believe we should eliminate the current limitation in Hive that prevents mixing operations of different authority levels in a transaction. It doesn't seem to be a reasonable security concern because wallets should always clearly show what levels of keys are being used, and they should especially highlight usage of high authority keys like owner and active without requiring a review of the transaction to see if operations are being mixed (i.e. we don't need blockchain to enforce non-mixing). And this current non-mixing rule prevents potentially useful transaction-level "all-or-nothing" behaviors.

From hived comments, it appears this limitation was for "ease-of-implementation", not for security reasons:

   /**
    *  Transactions with operations required posting authority cannot be combined
    *  with transactions requiring active or owner authority. This is for ease of
    *  implementation. Future versions of authority verification may be able to
    *  check for the merged authority of active and posting.
    */

However, I think it's not that difficult to fix this, and we should. Both these changes will require a hardfork, of course. With lite accounts, and the corresponding expansion of allowed roles (essentially open-ended), it should be fairly obvious that we're going to want to allow transactions with mixed roles, so this work pretty much has to be done for lite accounts anyways.