Delegated credential explained

Delegated credential is a short-lived TLS certificate used to improve security by faster recovery from private key leakage, without increasing the latency of the TLS handshake. It is currently an IETF Internet Draft,[1] and has been in use by Cloudflare[2] and Facebook,[3] with browser support by Firefox.[4]

Motivation

Modern websites and other services use content delivery networks (CDNs), which are servers potentially distributed all over the world, in order to respond to a user's request as fast as possible, alongside other services that CDNs provide such as DDoS mitigation. However, in order to establish a secure connection, the server is required to prove possession of a private key associated with a certificate, which serves as a chain of trust linking the public key and a trusted party. The trusted party is normally a certificate authority (CA).

CAs issue these digital certificates with an expiration time, usually a few months up to a year. It is the server's responsibility to renew the certificate close to its expiration date. Knowledge of a private key associated to a valid certificate is devastating for the site's security, as it allows Man-in-the-middle attacks, in which a malicious entity can impersonate to a user as a legitimate server. Therefore, these private keys should be kept secure, preferably not distributed over every server in the CDN. Specifically, if a private key is compromised, the corresponding certificate should optimally be revoked, such that browsers will no longer support this certificate. Certificate revocation has two main drawbacks. Firstly, current revocation methods do not work well across all browsers, and put the users at risk; and secondly, upon revocation, the server needs to quickly fetch a new valid certificate from the CA and deploy it across all mirrors.

Design

A delegated credential is a short-lived key (from a few hours to a few days) that the certificate's owner delegates to the server for use in TLS. It is in fact a signature: the certificate's owner uses the certificate's private key to sign a delegated public key, and an expiration time.

Given this delegated credential, a browser can (if it supports it) verify the server's authenticity by verifying the delegated certificate and then verify the certificate itself.

Advantages

This approach has many advantage over current solutions:

Notes and References

  1. Web site: Barnes . Richard . Iyengar . Subodh . Rescorla . Eric . Sullivan . Nick . Delegated Credentials for TLS . tools.ietf.org . 21 June 2020 . en.
  2. Web site: Delegated Credentials for TLS . The Cloudflare Blog . en . 1 November 2019 . 21 June 2020.
  3. Web site: Guzman . Alex . Nekritz . Kyle . Iyengar . Subodh . Delegated credentials: Improving TLS security . Facebook Engineering . 21 June 2020 . 1 November 2019.
  4. Web site: Jacobs . Kevin . Jones . J. C. . Merwe . Thyla van der . Validating Delegated Credentials for TLS in Firefox . Mozilla Security Blog . November 2019 . 21 June 2020.