- Remove tests for 512-bit key sizes (#1150682)

- Accept cases where NSS insists on 2048-bit DSA
- Drop workarounds for DSA keygen with NSS
- Get vague about what we expect from certutil
- Accept 1016 instead of 1024 bit for DSA keygen
- Add an alternate accepted result for DSA keygen
- Fix a possible uninitialized memory read

- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
  includes IP address subjectAltName values
- correctly verify signatures on SCEP server replies when the signer is neither
  the top-level CA nor the RA (feedback in #1161768)
- correctly verify signatures on SCEP server replies when there is more than
  one certificate in the chain between the RA and the top-level CA (feedback in

- add a missing test case file (whoops)

- backport changes from 0.63/0.64/0.65 to broaden the scope of locks which
  certmonger uses internally to keep it from doing to much with the outside
  world (#893611)

- when a caller sets the is-default flag on a CA, and another CA is no longer
  the default, emit the PropertiesChanged signal on the CA which is not the
  default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis,
  - cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
  argument when we're missing a required argument, not that the option is
  invalid (broken since 0.51, #796542)

- tweak the patch for #750617 to handle the case where xmlrpc-c doesn't
  offer dont_advertise as an option (Rob Crittenden)

- correct some build failures

- getcert: fix a buffer overrun preparing a request for the daemon when
  there are more parameters to encode than space in the array (#696185)
- updated translations: de, es, id, pl, ru, uk