Investigate reducing the names-per-cert limit

[aarongable]

We believe that most large certs come from large integrators, and the combination of many names per cert with long authorization lifetimes leads to many simultaneous CAA rechecks, and occasionally DNS rate-limiting. Reducing the number of names per cert may not be disruptive for most subscribers, and it may be disruptive primarily for the same folks for whom reducing Authz lifetimes would be disruptive, so making both changes at the same time might be a good idea.

Ideas for investigation:

• Get list of accounts (large integrators?) who consistently use large certs
• Establish a names-per-cert histogram metric