Allow validating of user IDs with paths longer than two

After implementing sop validate-userid it occurred to me that the interface only allows to validate user IDs where one of the trust roots make a direct assertion about a target certificate and user ID, i.e. the length of the certification chain is two: it includes the trust root and the target.

It'd be nice to be able to hand additional certs to the validate-userid command so that we can use delegations to third parties to authenticate the target certificate and user ID.

For that, we need a third kind of certificate argument to validate-userid. I pondered a bit how to name that argument, and arrived at either --adjacent-certs or --corroborative-certs, either expressing (the hope) that the certificates are adjacent in the authentication graph forming a path from root to target, or stressing the intention of adding corroborative evidence that can be used to build a path.

Having said that, I'm not overly excited about either term, so feel free to come up with a different one!