1things we might want to do -*- outline -*- 2 3* Map LDAP error codes 4 5* Optimize lookup 6** Use the most likely server first. 7 This is the server where a baseDN has been given and that baseDN is 8 contained in the search pattern. 9 10* name subordination (nameRelativeToCRLIssuer) 11 is not yet supported by Dirmngr. 12 13* CRL DP URI 14 The CRL DP shall use an URI for LDAP without a host name. The host 15 name shall be looked by using the DN in the URI. We don't implement 16 this yet. Solution is to have a mapping DN->host in our ldapservers 17 configuration file. 18 19* Support certs-only CMS messages 20 Some sites store their certificates under userSMIMECertificate. To 21 handle them we need to parse a CMS message and break of all 22 certificates. Requested by Neil Dunbar. I have added some code 23 fragments to ldap.c but it needs to be finished. 24 25* Test OCSP responder redirection. 26 We need to figure out an OCSP responder actually using redirection. 27 28* Restrict valid root certificates 29 For some purposes (e.g. Poldi) it might make sense to allow the 30 caller to restrict what root certificates are to be used for the 31 chain validation. 32 33* Windows port (unknown if these bugs also occur in GNU/Linux): 34 We are leaking some events under load, probably a bug in w32-pth. 35 When hashing debugging is enabled, we leak file handles for the 36 dbgmd crl files. May be a bug in gcrypt. 37 38