Precise checking when credential update may break dependent objects
Currently any credential definition change is considered dangerous, for e.g. pending registration requests using the credential. This is bit painful on large sites, so a better algorithm should be implemented, blocking credential updates only when an actual reconfiguration of credential is dangerous. E.g. changing credential reset notification channel is not dangerous.