* Storing a certificate hash tends to create operational complexity if
there is not an update mechanism when servers need to rekey
+## What needs to represent a trust anchor on an ID card
+
+* An optional base64-encoded CA certificate (a relatively long base64 string)
+* An optional subject name constraint (string)
+* An optional subject alternative name constraint (string)
+* An optional hash of a server certificate
+
+The server certificate hash field is mutually exclusive with the other fields.
+
## An option
constraints in the identity provisioning format
* Use the system trust anchor store for user-provisioned identities and
- do something about naming
+ do something about naminge
+
+## User Web Provisioning Format
+ <identities>
+ <identity>
+ <display-name>Unique Name</display-name>
+ <user>user_name</user>
+ <password>ENCRYPTEDPW</password>
+ <realm>issuer name</realm>
+ <services>
+ <service>xmpp@jabber.project-moonshot.org</service>
+ <service>email@project-moonshot.org</service>
+ </services>
+ <selection-rules>
+ <rule>
+ <pattern>PATTERN</pattern>
+ <always-confirm>true</always-confirm>
+ </rule>
+ <rule>
+ <pattern>ANOTHER_PATTERN</pattern>
+ <always-confirm>false</always-confirm>
+ </rule>
+ </selection-rules>
+ <trust-anchor>
+ <ca-cert>ABCDEFGHIJKLMNOPQRSTUVWXYZ123455678910</ca-cert>
+ <subject>Foo</subject>
+ <subject-alt>Bar</subject-alt>
+ <!-- Or alternatively -->
+ <server-cert>ABCDEFGHIJKLMNOPQRSTUVWXYZ123455678910</server-cert>
+ </trust-anchor>
+ </identity>
+ <identity>
+ <display-name>Another Identity</display-name>
+ <username>another_username</username>
+ </identity>
+ </identities>