Stapled signature checks should support name type constraints #64
Description
Normally, the type of name constraints that are applied (DNS name, email address, URI, etc.) can be encoded in an X.509 cert that's part of the cert chain in the TLS handshake, but this isn't sufficient if the entity in charge of the name constraints is a smart contract (since X.509 certs only have a standard keypair controlling them). Setting the type of name constraints as part of the stapled signature check would avoid this problem.
We could put a different hostname field in the stapled data for each type of name constraint, but IMO this is too unwieldy for casual use. I think instead putting one "name type" field there, which would contain dns/email/uri should do the job fine. If someone can point to a real-world need for more flexible usage, we can consider that.