Proposal: Supporting URI SAN in Certificate Authentication

Hello PostgreSQL Hackers,

I’d like to open the discussion about adding support for URI Subject
Alternative Names (URI SAN) in PostgreSQL certificate authentication.
Today, PostgreSQL only supports extracting identity from the certificate
Subject (CN or full DN). This limits interoperability with modern workload
identity systems that rely on URI-based identities:
* Cockroach Labs added URI SAN support for SPIFFE/SPIRE:
https://www.cockroachlabs.com/blog/zero-trust-database-authentication-spiffe-spire
* The IETF WIMSE Working Group is standardizing URI-based workload
identities: https://datatracker.ietf.org/group/wimse/about

Proposal: Allow certificate authentication to use URI SAN entries as the
client identity (e.g. via a clientname=uri option in pg_hba.conf), in
addition to the existing CN/DN options.

Questions:
* Is there interest in this feature from the community?
* Are there known objections or prior discussions around using SAN (and
specifically URI SAN) for identity in PostgreSQL auth?
* How should multiple URI SAN entries be handled (first match, require
uniqueness, mapping rules, etc.)?

Thanks,
Olivier Cano