Mozilla, Cloudflare and Facebook announced “Delegated Credentials for TLS”: https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/ https://blog.cloudflare.com/keyless-delegation/ https://engineering.fb.com/security/delegated-credentials/ Which require a …

[image] tdelmas: It’s probably too early to ask that question, but, is Let’s Encrypt considering supporting that certificate extension? We are not actively considering this or tracking the work closely. [image] orangepizza: IIRC LE has different idea for short life certificate, which cal…

I feel like someone just discovered new land! I think this could be a very big step towards complete global encryption. Needless to say, I second the question and add: [image] tdelmas: is Let’s Encrypt considering supporting that certificate extension? And, if so, is that discussion open (…

IIRC LE has different idea for short life certificate, which called ACME-STAR and acme-star-delegation but this delegated credentials has working implantation for it. Comparing for this and acme star most significant differences is ACME-STAR creates real certificate with few days of lifetime each,…

[image] orangepizza: pro for Delegated credentials And as Let's Encrypt already support another TLS extension (OCSP Must Staple - RFC 7633 - X.509v3 Transport Layer Security (TLS) Feature Extension ), adding another one should be easy (in terms of development and maintenance). So both way cou…

[image] orangepizza: Does CA/B BR really allow this? a. Is it allowed to add arbitrary extension for public cert? Digicert has already issued some public certificates with that extension: https://censys.io/certificates?q=parsed.unknown_extensions.id%3A+1.3.6.1.4.1.44363.44+AND+tags%3Atrusted …

[image] _az: Is the underlying suggestion here that your CDN is a threat actor or incompetent? In that light, it would seem that their point is to ensure that one can't be overly exploited by those they are forced to trust. I guess it will make them sleep better at night... But this actually…

[image] _az: The upside is protection against one narrow form of CDN edge compromise? :confused: This is my understanding yes. And while the use case seems narrow (CDNs and other large Internet companies), it's not totally unrealistic. CDNs have PoPs all over the world, usually not under thei…

Short lived certificates alternative: Delegated credentials

Issuance Policy

tdelmas November 8, 2019, 4:29pm 8

Related thread on mozilla.dev.security.policy forum:

https://groups.google.com/d/msg/mozilla.dev.security.policy/T-aRts5DhcM/NAnY7MqVCAAJ

Topic		Replies	Views
6 day certificates!? Pinch me I'm dreaming Issuance Policy	37	2425	January 30, 2025
Identifier validation in certificate renewals Issuance Policy	26	691	December 22, 2024
Why doesn't Let's Encrypt issue CA certificates? Feature Requests	26	5330	March 9, 2021
Google Proposes Reducing TLS Cert Life Span to 90 Days ISRG/Organizational	62	6180	March 24, 2024
Let's Encrypt shouldn't rely on a centralized CA; it should be decentralized Feature Requests	25	7846	March 18, 2016

Short lived certificates alternative: Delegated credentials

Related topics