Bulletproof TLS Newsletter #59
Testing of delegated credentials begins
28 November 2019
Author: Hanno Böck

This issue was distributed to 52,536 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Testing of delegated credentials begins
  2. Short news

Testing of delegated credentials begins

Delegated credentials is a TLS feature currently in development that allows for temporarily delegating authentication of TLS connections to a different public/private key pair. Cloudflare, Facebook, and Mozilla are currently running experiments with this feature in practice.

The idea of delegated credentials is that a TLS certificate can sign a special temporary key that is then allowed to sign TLS handshakes for the corresponding host. It acts as a kind of intermediate certificate.

The background is that sometimes companies want to store their private key in a more secure location, but getting signatures involves a latency overhead. One such use case is the Keyless SSL feature that Cloudflare introduced some years ago. Cloudflare was directly involved in the development of delegated credentials.

Right now, there is a draft for the standard. To use delegated credentials, you need a special certificate extension; for the experiments run by Cloudflare and Facebook, these certificates have been provided by DigiCert.

Firefox has implemented initial support in its NSS library and the nightly releases of Firefox. Mozilla is also running a telemetry experiment to gather experience with the new feature.

Short news