Several key areas are still up for decision.
W3C crypto is broken.
The main problem core the core services is that XSL is not sensitive to XML namespaces, but hash functions of serialised XML are. So the obvious thing to do would be to define an extension to W3C specs (e.g. a custom XSL transform to canonicalize the namespace prefixes and standardise position of namespace nodes).
The cryptography of individual packets needs to be settled. Signed? Encrypted? Or Both? Or Neither? If so, how?
How fancy does this need to be? Currently, the only non-command line way of interfacing with the system is the debug GUI (/soft-systems/Account-Name/debug.php), which is good for debugging, but end users don't want to see this.
FF12 Client Specification
An elaborate specification exists for clients FF12, but the code to implement this never got quite finished (Robin got tired of JS DOM and wanted a break). Is it too elaborate? The ad hoc (simpler) framework could be pretty effective.
Option for how to use a different xslt processor
perhpas using php/java bridge