Hi Russ,
On 2012-07-17, at 19:06, Russ Housley wrote:
I think you missed my point. In a PKI, when the issuer significantly changes
the policy, subsequent certificates have a different policy identifier. I do
not see a similar concept here.
You're right, I did miss your point, quite thoroughly :-)
I am guessing that the answer is that there's no corresponding facility in
DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say
that largely ignorant of X.509 and attendant CA policy and hence perhaps am
still misunderstanding what you're looking for.
Joe