If two auth certs are both old but were generated nearby in time, we keep both

In trusted_dirs_remove_old_certs() we check if

            (cert_published + OLD_CERT_LIFETIME < newest_published)) {

when deciding whether to discard an old cert from our cache.

We don't check it at all with respect to current time.

So if an authority generates a signing key in January, and then generates ten more signing keys within a week, and now it's April, we'll still keep all of them until they expire or until a new signing key shows up that's more than 7 days newer than them.

This cannot be the right logic.