What Are Delegated Credentials for TLS?

Delegated Credentials for TLS is a new cryptographic protocol introduced by Mozilla in collaboration with Cloudflare, Facebook, and other members of the IETF community.

After three years of development by Facebook, Cloudflare, and Firefox, this protocol is now on the path to becoming an internet standard. The Internet Engineering Task Force (IETF) is in the process of standardizing it.

Delegated Credentials serve as an extension to SSL/TLS certificates. They enable encrypted connections between the server and web browser by deploying delegated credentials with different keys on all servers.

By reducing the certificate validation period to shorter durations—ranging from months to hours—delegated Credentials help prevent the misuse of misquoted certificates.

Before exploring the technical details of Delegated Credentials for TLS, let’s first understand why they are crucial for improving online security.

Why Are Delegated Credentials for TLS Necessary?

An SSL certificate is used to secure the connection between a web browser and a server. When connected to a secure protocol, the server provides a TLS certificate to the browser to verify its identity before exchanging information. This ensures that the data transferred between the server and the browser is encrypted, preventing unauthorized third parties from eavesdropping, tampering, or impersonation. SSL/TLS certificates are crucial in securing online communications by establishing trust through this authentication process. They are essential for protecting sensitive data such as login credentials, payment details, and personal information.

These certificates typically have a validation period of 1 to 2 years. However, in some cases, the certificate may be revoked before the expiration date for various reasons, such as:

  • The certificate’s private key has been compromised.
  • The certificate was issued without proper verification.
  • An incorrect certificate was issued.

In such situations, the only solution is to reissue a new certificate.

The revocation check is performed by contacting the CA’s server to retrieve information about the certificate’s health status.

However, browsers sometimes fail to display the “no longer trusted certificate” message after the certificate has been revoked, as they rely on cached validation data. Additionally, delays from the CA’s CRL/OCSP servers may cause a lag in updating security check results for the end-user.

Facebook and Cloudflare are collaborating on this protocol to enhance end-user security, as their services are used by millions worldwide.

The period between when a certificate is revoked and when a fresh certificate is issued makes websites vulnerable to attackers.

During this time, specific browsers may incorrectly display the website as secure using cached data. To address this issue, Delegated Credentials come into play.

Delegated Credentials feature shorter validation periods and are signed by the leaf certificate issued by the CA.

Understanding How Delegated Credentials Work

The IETF community has proposed Delegated Credentials for TLS to address the abovementioned issues. It is a new cryptographic protocol that balances certificate lifetime and reliability.

Delegated Credentials for TLS enable companies to have partial control over the process of signing new certificates. These credentials use a private key with a shorter validity period than the primary certificate.

The Delegated Credential, which uses a private key with a shorter validity period, is generated by the server rather than the Certificate Authority.
The delegated credential consists of the following components:

  • Public key
  • New private key (with an expiry date for the delegated credentials)
  • The CA-issued leaf certificate signs the signature of the delegated credentials.

The delegated credentials secure the connection between the web browser and the server by utilizing its public key.

Website owners can now actively participate in generating certificates with distinct public and private keys.
Delegated credentials employ a distinct private key with a shorter validity period on each server. Since each server uses a unique private key, hackers have a smaller window of opportunity to exploit vulnerabilities and perform cyberattacks.

How to Enable Delegated Credentials on Firefox

Facebook has started supporting Delegated Credentials through its Fizz library.

To try Delegated Credentials yourself, follow these steps:

  • Download or update to the latest version of Mozilla Firefox.
  • Type about: config in the address bar and search for tls.enable_delegated_credentials.
  • Change its default value to “true” by double-clicking “false.”

After completing the above steps, your settings should appear as shown in the image below:

To check if your browser supports delegated credentials for TLS, you can visit the following websites:

fbdelegatedcredentials.com← By Facebook

kc2kdm.com/delegated.html← By Mozilla

Conclusion

When a user connects to a website using a browser that supports delegated credentials, the server provides a short-lived token for authentication instead of using the actual CA certificate. Since the leaf certificate signs the delegated credentials, the chain of trust is preserved.

This technology addresses the limitations of keyless SSL, offering significant benefits to customers. It is encouraging to see major tech giants developing innovative solutions to improve internet security.

Facebook
Twitter
Pinterest
LinkedIn