In trusted_dirs_remove_old_certs() we check if ``` (cert_published + OLD_CERT_LIFETIME < newest_published)) { ``` when deciding whether to discard an old cert from our cache. We don't check it at all with respect to current time. So if an authority generates a signing key in January, and then generates ten more signing keys within a week, and now it's April, we'll still keep all of them until they expire or until a new signing key shows up that's more than 7 days newer than them. This cannot be the right logic.