Joe
You're right, I did miss your point, quite thoroughly :-)
I am guessing that the answer is that there's no corresponding facility in
DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say
that largely ignorant of X.509 and attendant CA policy and hence perhaps am
still misunderstanding what you're looking for.
In X.509 each cert can contain a policy OID that indicates the policy
under which the cert was issued. Thus, when a CA changes it's policy it
can issue certs under the new policy with the new policy OID. This makes
it clear to relying parties what policy is in effect, and when a CA
changes its policy, irrespective of
other changes, e.g., key rollover.
Steve
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art