TODO make certname validation more robust: check service ID of signing CA for member (data) certs add groups add caching of forum threads