We use policy fragments for SSL and signing. We use these fragments in multiple policies and services that use different keys on one gateways. Currently, only the actual private key can be selected on a routing or signing assertion. We require the ability to select a variable that hold the name of the private key (instead of the actual private key). The value of this variable can then be set on service level. This would allow the same fragments for signing / SSL to be re-used for services with different private keys.