28 November 2019
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
Delegated credentials is a TLS feature currently in development that allows for temporarily delegating authentication of TLS connections to a different public/private key pair. Cloudflare, Facebook, and Mozilla are currently running experiments with this feature in practice.
The idea of delegated credentials is that a TLS certificate can sign a special temporary key that is then allowed to sign TLS handshakes for the corresponding host. It acts as a kind of intermediate certificate.
The background is that sometimes companies want to store their private key in a more secure location, but getting signatures involves a latency overhead. One such use case is the Keyless SSL feature that Cloudflare introduced some years ago. Cloudflare was directly involved in the development of delegated credentials.
Right now, there is a draft for the standard. To use delegated credentials, you need a special certificate extension; for the experiments run by Cloudflare and Facebook, these certificates have been provided by DigiCert.
Firefox has implemented initial support in its NSS library and the nightly releases of Firefox. Mozilla is also running a telemetry experiment to gather experience with the new feature.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.