Relax MTC chain validation to ignore cross-signs #125
Description
In CT, it's required that each cert signs the previous one and the chain ends in either an accepted root or a cert signed by a trusted/accepted root. We've carried over those requirements for bootstrap MTC for now, but this means that cross-signed chains (like the one served by google.com to curl user agents) fails chain validation because of the extra appended GlobalSign root (not trusted by Google).
We could require that clients only submit compliant bootstrap chains without an appended untrusted root (as we do now), or we could relax the MTC chain validation to stop validating the chain as soon as a trusted root is encountered and ignore the rest of the chain. If we do this, we'd need to make sure that we don't include the extraneous roots in the bootstrap log entry either.
The relaxed chain validation would be useful if this library ends up getting used in other clients that need to do chain validation.