ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

2012-07-18 10:56:09
from [Stephen Kent] [Permanent Link] 
Joe

You're right, I did miss your point, quite thoroughly :-)

I am guessing that the answer is that there's no corresponding facility in 
DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say 
that largely ignorant of X.509 and attendant CA policy and hence perhaps am 
still misunderstanding what you're looking for.
In X.509 each cert can contain a policy OID that indicates the policy under which the cert was issued. Thus, when a CA changes it's policy it can issue certs under the new policy with the new policy OID. This makes it clear to relying parties what policy is in effect, and when a CA changes its policy, irrespective of 
other changes, e.g., key rollover.

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08, Russ Housley
Next by Date:  Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08, Joe Abley
Previous by Thread:  Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08, Russ Housley
Next by Thread:  Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08, Joe Abley
Indexes:  [Date] [Thread] [Top] [All Lists]