oauth::IdentityToken always uses "email" as the identity of the token -- but some oidc issuers, like GitHub Actions, use "sub" as the identity and Fulcio does supports that...

• tokens with "sub" identity should be supported (and in fact this should likely be default): Currently they fail to parse
• signing and verification should be possible with "sub" identities, so issuers like GitHub Actions can be used

See also #409

I'll try fixing at least the first issue in #412