Merge branch 'ocsp-constraints'

Limits cached OCSP verification to responses signed by the CA, a directly
delegated signer or a pre-installed OCSP responder certificate. Disables
auth config merge for revocation trust-chain strength checkin, as it breaks
CA constraints in some scenarios.