source: heimdal/trunk/lib/hx509/TODO@ 5

Handle private_key_ops better, esp wrt ->key_oid

Better support for keyex negotiation, DH and ECDH.

x501 name
        parsing
        comparing (ldap canonlisation rules)

DSA support
DSA2 support

Rewrite the pkcs11 code to support the following:

        * Reset the pin on card change.
        * Ref count the lock structure to make sure we have a
          prompter when we need it.
        * Add support for CK_TOKEN_INFO.CKF_PROTECTED_AUTHENTICATION_PATH

x509 policy mappings support

CRL delta support

Qualified statement
        https://bugzilla.mozilla.org/show_bug.cgi?id=277797#c2


Signed Receipts
        http://www.faqs.org/rfcs/rfc2634.html
        chapter 2

tests
        nist tests
                name constrains
                policy mappings
                http://csrc.nist.gov/pki/testing/x509paths.html

        building path using Subject/Issuer vs SubjKeyID vs AuthKeyID
        negative tests
                all checksums
                conditions/branches

pkcs7
        handle pkcs7 support in CMS ?

certificate request
        generate pkcs10 request
                from existing cert
        generate CRMF request
                pk-init KDC/client
                web server/client
                jabber server/client 
                email


x509 issues:

 OtherName is left unspecified, but it's used by other
 specs. creating this hole where a application/CA can't specify
 policy for SubjectAltName what covers whole space. For example, a
 CA is trusted to provide authentication but not authorization.