@aral I've dealt with X.509 a lot in the past when working in electronic signature industry (also XAdES, CMS etc) and it's a nightmare.

A classic 90's technical committee invention - any *potential* usage reflected in standard, most of which never materialised, but muddied it and overcomplicated to an unbelievable extent.

A good example how crap solutions become so widespread that better ones can't be introduced. SPKI was a very nice replacement, but largely ignored...