$Id$

x501 name
	parsing
	comparing (ldap canonlisation rules)

DSA support
DSA2 support

x509 policy mappings support

CRL delta support

crypto
	make signing alg depend on signer if not given

tests
	nist tests
		name constrains
		policy mappings
		http://csrc.nist.gov/pki/testing/x509paths.html

	building path using Subject/Issuer vs SubjKeyID vs AuthKeyID
	negative tests
		all checksums
		conditions/branches

pkcs7
	handle pkcs7 support in CMS ?

certificate request
	generate pkcs10 request
		from existing cert
	generate CRMF request
		pk-init KDC/client
		web server/client
		jabber server/client 
		email


x509 issues:

 OtherName is left unspecified, but its used by other
 specs. creating this hole where a application/CA can't specify
 policy for SubjectAltName what covers whole space. For example, a
 CA is trusted to provide authentication but not authorization.