> There are clients which
> a) return the certificate using "userCertificate;binary" or
> b) return the certificate using "userCertificate".
This sounds like a strong argument that supports updating servers to achieve interoperability with both groups. That's why I would prefer a solution that requires updated servers to support the native encoding of certificates (as would be returned when "userCertificate" is requested).
> As a server cannot support both at the same time, there is
> clearly an interoperability divide between implementations
Why is it that a server cannot support both groups ?
If it remains the server's choice of whether or not to support group B, the interoperability divide remains unchanged. I believe the proposal should define the native encoding so that interoperability with group B can be attempted. This should not involve any comments about deprecation as server implementations may takes this as a reason not to support a request for "userCertificate". And there can be text indicating clients SHOULD request "userCertificate;binary".