Conflict with CA/B TLS requirements

[BrianSipos]

The CA/Browser baseline requirements for TLS certs in Section 7.1.2.7.12 "Subscriber Certificate Subject Alternative Name" requires that if a certificate contains an empty Subject then the Subject Alternative Name extension must be marked as critical.

When such a certificate is constructed, it fails to validate because the SAN extension is not present in this list:

certvalidator/certvalidator/validate.py

Lines 667 to 681 in c594f0e

	supported_extensions = set([
	'authority_information_access',
	'authority_key_identifier',
	'basic_constraints',
	'crl_distribution_points',
	'extended_key_usage',
	'freshest_crl',
	'key_identifier',
	'key_usage',
	'ocsp_no_check',
	'certificate_policies',
	'policy_mappings',
	'policy_constraints',
	'inhibit_any_policy',
	])

What is the reason for having this restricted list in the first place? It seems to conflict with the API docs for validate_path() here:

certvalidator/certvalidator/validate.py

Lines 31 to 32 in c594f0e

	Critical extensions on the end-entity certificate are not validated
	and are left up to the consuming application to process and/or fail on.

[BrianSipos]

This is also a requirement from RFC 5280 that when a Subject is empty, the SAN extension is marked as critical.