The TLS code understands three different things it can verify: the subject, the
issuer, and the root. The existing code assumes that any attribute we can
verify against one of these is also verifyable against the others.
For Subject Alternative Name, this might not be true. There exists both
Subject Alternative Name and Issuer Alternative Name. This code change allows
one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name
against the Issuer, which wouldn't be right. Issuer Alternative Name isn't a
requested feature (yet?), so I'm punting on this problem.
Alvin Moore