Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Stephen Kent <> Wed, 18 July 2012 15:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9BEBF21F8737; Wed, 18 Jul 2012 08:54:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.482
X-Spam-Status: No, score=-106.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id unpnxIXVWj4v; Wed, 18 Jul 2012 08:54:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F082521F8736; Wed, 18 Jul 2012 08:54:52 -0700 (PDT)
Received: from ([]:49414) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1SrWb2-000DuU-Ld; Wed, 18 Jul 2012 11:55:28 -0400
Message-ID: <>
Date: Wed, 18 Jul 2012 11:55:28 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To:, russ housley <>, Peter Yee <>,,,
References: <003c01cd6225$6f4cab60$4de60220$> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Jul 2012 15:54:53 -0000

>> You're right, I did miss your point, quite thoroughly :-)
>> I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for.

In X.509 each cert can contain a policy OID that indicates the policy 
under which the cert was issued. Thus, when a CA changes it's policy it 
can issue certs under the new policy with the new policy OID. This makes 
it clear to relying parties what policy is in effect, and when a CA 
changes its policy, irrespective of
other changes, e.g., key rollover.