Nico Williams
I've worked with or on Kerberos for about 28 years, and I've worked on Heimdal for about 15 years. I'm a Sun Microsystems, Inc. alumnus, and have worked for banks and hedge funds as a consultant and employee. I am also an erstwhile jq and Heimdal maintainer.
Session
Heimdal has an ASN.1 compiler and library that can fully encode/decode a certificate including all its extensions in one codec invocation. It does this by leveraging the RFC 5912 object sets, parameters, and constraints on PKIX. Showcasing Heimdal's ASN.1 tooling might help OpenSSL develop its own (or borrow Heimdal's) to a) be able to use ASN.1 modules as-is rather than having to rely on error-prone manual translation to OpenSSL's macros for defining ASN.1 types, and b) to get automatic use of RFC 5911 and 5912 to simplify the use of ASN.1 in OpenSSL.
For example, Heimdal can decode a certificate and print it as JSON, with all the certificate's extensions fully decoded, in two invocations: one to decode a DER-encoded certificate, and one to encode the result as JSON.