Ratelimit submission of old certificates

[mcpherrinm]

One way to DoS a CT log would be bulk submission of old entries from another log.

It would be good to ratelimit submission of "old" entries. The Baseline Requirements allow backdating of up to 48 hours, so that's a reasonable threshold to consider an entry "old". Generally I'd expect submission of old certificates to be relatively low.

I don't have strong opinions on how to express the rate limit.

[FiloSottile]

Since our write ratelimit is the pool size, we can just reserve part of it for only new certificates.

[mcpherrinm]

One thing I was considering was that we could prioritize "old" entries behind new ones in some way, so we can fill the pool each sequencing operation, and only drop old entries if the pool would otherwise be full.