Site icon SSL.com

Delegated Credentials for TLS

Terminating a TLS connection requires using a certificate’s private key. As a result, the private key needs to be stored at every single server utilized by a service.  The protection of this private key’s secrecy is paramount to the smooth operation of a Public Key Infrastructure scheme. An entity in possession of the private key can perform man-in-the-middle attacks for the remainder of the certificate’s validity. Typically, when an attacker compromises a private key, the certificate associated with this key is revoked, and a new one is issued.  However, for enterprises that use multiple servers, like Facebook or Content Delivery Networks, key compromises, especially in edge servers, are not easy to detect, hence putting at risk the entire network. Delegated Credentials allow servers to perform TLS handshakes, while the private key of the certificate is stored in a secure location. Delegated Credentials are digitally signed data structures comprising of two parts: a validity interval and a public key (along with its associated signature algorithm). They serve as a “power of attorney” for the servers indicating that they are authorized to terminate the TLS connection. The process of issuing delegated credentials is currently under standardization and defined in this IEFT draft. The draft defines the use of Delegated Credentials as follows:
 
“A limited delegation mechanism that allows a TLS peer to issue its own credentials within the scope of a certificate issued by an external CA. These credentials only enable the recipient of the delegation to speak for names that the CA has authorized.”
Delegated Credentials are designed with the purpose of increasing security. Hence, they possess certain traits, as defined in the IEFT draft. SSL.com supports the use of delegated credentials for all clients. Issuance of delegated credentials capable certificates can be done through the use of APIs for automation using the ACME protocol. Since SSL.com utilizes ECDSA to implement the PKI offered to clients, delegated credentials issued by our clients are not vulnerable to signature forgery attacks, as described above. 
Exit mobile version