Ensure AIA URLs point to public paths

[cardonator]

As part of the SMIME work, I discovered at least one example of a cert that was issued using an outdated OCSP URL that would have been valid prior to the SMIME BRs. The rules around the AIA paths are not super strict but they are similar for both TLS and SMIME requirements, which read:

This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the
HTTP URL of the CA’s CRL service.

For publicly trusted certificates that are present in CT logs, these URLs are required to point to a resolvable location and shouldn't contain internal names. However, that requirement is not strictly codified in the requirements but is implied by what the resource is intended to point to. This lint intends to check and warn for this condition that may not be an actual problem, but probably is.

Note: I don't believe the Legacy lint is quite right here. The rule for Legacy reads

When provided, at least one accessMethod SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present.

The current lint tries to parse the url and make sure the DNS name has a valid TLD. Should I instead try to validate the scheme of the field before parsing in that lint only?

I also combined the Strict and Multipurpose lints into one as they have the same requirements.

Feedback welcome and desired!

[cardonator]

@christopher-henderson this is ready for review. I can't add you as a reviewer myself.

[cardonator]

Thanks for the review @christopher-henderson I had one question above but otherwise should be ready to re-review. 👍

e: I confirmed internally that I shouldn't have allowed https.