Create filter-based delta updates

[jschanck]

Consider two successive runs of rust-create-cascade where the known-revoked certificate sets are R1 and R2, respectively, and the known certificate sets are N1 and N2, respectively. The second run of rust-create-cascade will output a full filter that encodes R2 relative to N2 and it will output a "stash file" that lists the elements of R2 \ R1.

There are two problems with stash files.

1. they are much less space efficient than filters, and
2. they don't update the coverage metadata for known non-revoked certificates.

This PR makes it so that the second run of rust-create-cascade outputs a filter that encodes R2 \ R1 relative to N2. This turns out to be much more space efficient than a stash, and (at least in the case of Clubcard filters) the new filter contains fresh coverage metadata.

A client who receives a full filter and several of these delta filters will:

1. query each of the filters.
2. return "revoked" if any of the queries returns "revoked".
3. return "good" if any of the queries returns "good".
4. return "not enrolled" if any of the queries returns "not enrolled".
5. return "not covered".

This PR does not change what we publish. I want to watch the statsd telemetry for a bit and also update Firefox Nightly before we do that.