This is a follow up on the first PR #14884

Right now, we only verify incoming SVIDs against the given trust bundles, but never use the existing match_subject_alt_names in the validation context. This must be supported in order to provide authz functionality in the SPIFFE validator.

The point I would like to discuss before I start implementation is that "Should we match any SAN other than URI SAN ?".

Since SPIFFE specification does not limit the DNS SANs or any others, but it only has the restriction that "SVID must contain exactly one URI SAN" (see the discussion here), it seems that we should match only the URI SAN and ignore others.

@azdagron @evan2645 thoughts?

cc @lizan