Although IPv6 addresses may be passed to the certificate discovery, the
internal default for no nsid is IPv4. This means, that paractically the
trailing 12 bytes are ignored. All addresses are axpected to be in net-
work byte oder. 

NSID 1 'certificates' may be used if they are visible in the local cache.
The network reqeust and response part can handle ONLY NSID 8, thus only 
they can be exchanged.

Currently a lot of superfluos dh_data entries are allocated and kept
when hunting for a new omk,rmk relation, or doing secret_add. No timeout
exists, the in-core cache never shrinks. These are serious deficiencies,
that could be fixed at a later time.

Certificate discovery should address itself to multiple hosts at the same 
time, kind of working in parallel.

Now a sample for a secret value file, which could be put into /secret/
and used as input for cert_make.

#valid since (hex)
00000001
#valid until (hex)
ffffffff
#Base g (hex)
02
#Modulus p (hex)
F488FD584E49DBCD20B49DE49107366B336C380D451D0F7C88B31C7C5B2D8EF6F3\
C923C043F0A55B188D8EBB558CB85D38D334FD7C175743A31D186CDE33212CB52A\
FF3CE1B1294018118D7C84A70A72D686C40319C807297ACA950CD9969FABD00A50\
9B0246D3083D66A45D419F9C7CBD894B221926BAABA25EC355E92F78C7
#secret value (hex)
<set you own value here>

Currently, two name spaces are supported:
01-123.12.34.56-1
NSID '1' and an IP address: This is the default secret key, if no NSID is
passed with the SKIP packet.
08-0123456789abcdef0123456789abcdef-1
NSID '8' and a MD5 hash: Secret key in the case the public key is identified
by its hash value. Both file names may be linked to the same data. The MD5
hash and public value can be derived with cert_make.

Public keys contain the same entries, but instead of the secret value, the
public value is stored. Later on, certificate data should be stored after
the public value. This would begin with the certificate type ID and then
contain (yet to be defined) data. 

Certificate Names contain a trailing 'unique' number. This does *not* mean
that there may be more than one certificate for one name, unless they have
disjunct validity times.
