The credential format v3 is not extensible. Supporting planned new features will require a new credential format. This format should be extensible to accommodate new features and functionality without having to update to another fixed format requiring backwards-compatibility to old formats.

Planned new features include:

• embedding multiple DEKs to facilitate key rotation (support for transitioning to a new key (aka key rotation) #19)
• embedding the SELinux security context (embed SELinux security context into credential metadata #70)
• restricting credential decoding based on the origin IP address (add MUNGE_OPT_ADDR_RESTRICTION context option #71)
• supporting 64-bit time_t values (support 64-bit time_t values #88)