1things we might want to do                              -*- outline -*-
2
3* Map LDAP error codes
4
5* Optimize lookup
6** Use the most likely server first.
7   This is the server where a baseDN has been given and that baseDN is
8   contained in the search pattern.
9
10* name subordination (nameRelativeToCRLIssuer)
11  is not yet supported by Dirmngr.
12
13* CRL DP URI
14  The CRL DP shall use an URI for LDAP without a host name.  The host
15  name shall be looked by using the DN in the URI.  We don't implement
16  this yet.  Solution is to have a mapping DN->host in our ldapservers
17  configuration file.
18
19* Support certs-only CMS messages
20  Some sites store their certificates under userSMIMECertificate.  To
21  handle them we need to parse a CMS message and break of all
22  certificates. Requested by Neil Dunbar.  I have added some code
23  fragments to ldap.c but it needs to be finished.
24
25* Test OCSP responder redirection.
26  We need to figure out an OCSP responder actually using redirection.
27
28* Restrict valid root certificates
29  For some purposes (e.g. Poldi) it might make sense to allow the
30  caller to restrict what root certificates are to be used for the
31  chain validation.
32
33* Windows port (unknown if these bugs also occur in GNU/Linux):
34  We are leaking some events under load, probably a bug in w32-pth.
35  When hashing debugging is enabled, we leak file handles for the
36  dbgmd crl files.  May be a bug in gcrypt.
37
38