made me think about the
current revocation behaviour in `ipa cert-request`. For hosts and
services, all old certificates get revoked.
I wrote a blog post outlining the problems with the current
behaviour, and some suggested changes. I'd like to know others'
thoughts. If we go ahead it would be something for a major release,
not a bugfix release. The actual amount of work is pretty small.