things we might want to do                              -*- outline -*-

* Map LDAP error codes

* Optimize lookup
** Use the most likely server first.
   This is the server where a baseDN has been given and that baseDN is
   contained in the search pattern.

* name subordination (nameRelativeToCRLIssuer) 
  is not yet supported by Dirmngr.

* CRL DP URI
  The CRL DP shall use an URI for LDAP without a host name.  The host
  name shall be looked by using the DN in the URI.  We don't implement
  this yet.  Solution is to have a mapping DN->host in our ldapservers
  configuration file.

* Support certs-only CMS messages
  Some sites store their certificates under userSMIMECertificate.  To
  handle them we need to parse a CMS message and break of all
  certificates. Requested by Neil Dunbar.  I have added some code
  fragments to ldap.c but it needs to be finished.

* Various problems with German SigG certs
  We need to implement the chain-validation-model and come up with a
  way to verify the intermediate certificates.  There are no CRLs
  available and using OCSP with the same responder is point less.
  Needs more investigation.

* Test OCSP responder redirection.
  We need to figure out an OCSP responder actually using rediection.