*Summary*: We would like to experiment with Delegated Credentials, a proposed TLS 1.3 extension. The Delegated Credentials mechanism allows operators to delegate their own credentials for use in TLS 1.3, without breaking compatibility with clients that do not support this extension. Typically, Certification Authorities (CAs) issue long-lived certificates which restrict servers to using the authentication mechanisms for which the CA-issued credentials are valid. This is not ideal in situations where server operators would like to use short-lived credentials for servers operating in low-trust zones such as CDNs, for example. To remove dependencies on external CAs (and the associated cost of potentially requesting short-lived credentials from these CAs), the Delegated Credentials mechanism allows a TLS server operator to issue its own, short-lived credentials within the scope of a certificate issued by an external CA. In other words, trust is still provided via an externally issued end-entity certificate but server operators can now limit the exposure of compromise through the use of short-lived credentials that are signed by the private key corresponding to the end-entity certificate (i.e., the end-entity public key). These short-lived “delegated credentials” are valid for a maximum of seven days, and operate as a server’s working keys for the TLS 1.3 connection. Further details can be found in the specification linked below.
We are partnering with Cloudflare on this initiative. Christopher Patton has opened a bug and is starting to submit code for review. Once the client code has landed, and the server-side code is ready, we can contemplate experimental interop testing with Nightly (details still to be decided). *Bug*: https://bugzilla.mozilla.org/show_bug.cgi?id=1540403 *Link to standard*: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03 *Platform coverage - where will this be available?* All Gecko *Estimated target release*: None; prerelease-only currently. *Preference behind which this will be implemented*: This will be enabled behind a pref but the particulars are yet to be determined. Please do not hesitate to contact me if you have any further questions or concerns. Thank you, Thyla -- Dr. Thyla van der Merwe Cryptography Engineering Manager _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
