Security policy mechanism that allows a domain owner to specify which certificate authority is authorized to issue certificates for that domain.