Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joe
You're right, I did miss your point, quite thoroughly :-)

I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for.

In X.509 each cert can contain a policy OID that indicates the policy under which the cert was issued. Thus, when a CA changes it's policy it can issue certs under the new policy with the new policy OID. This makes it clear to relying parties what policy is in effect, and when a CA changes its policy, irrespective of
other changes, e.g., key rollover.

Steve




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]