+The parsers are inherited from libubox, and despite the extremely good reputation of the blob it must not be unmenetioned that libubox also most likely wasn't intended to be used for cryptographic purposes.
+Yet it does provide the mechanisms needed (data-encapsulation, parsing, ...) in a way much more straight forward than any ASN.1 implementation ever could at a fraction of the source footprint.
+
+
+## handling revokation
+ucert generates a revoker certificate for each issued authorization certificate. Unlike X.509, the revokation mechanism is rather flat: It only allows keys present in pubkeydir (ie. /etc/opkg/keys) to revoke any other key. There are no means for delegation of revokation or anything the like.
+
+When ucert is called with the `-R` command to process a chain of revokers, each of them is verified against the pubkeydir. Once validated, a dead symlink for the revoked key is created in /etc/opkg/keys.
+
+Currently the signatures of the to-be-revoked keys are signed one-by-one -- if that turns out to be a scalability concern, revokation could easily be changed to operate with lists of to-be-revoked pubkeys. The advatage of the current implementation is that revokers can simple be appended and hence who ever takes care of the update or provisioning mechanism serving those revokers doesn't need to know anything about the internal affairs of ucert. They can simply use `cat`.