Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/tls: add support for delegated credentials #35311

Open
aaslamin opened this issue Nov 1, 2019 · 3 comments
Open

proposal: crypto/tls: add support for delegated credentials #35311

aaslamin opened this issue Nov 1, 2019 · 3 comments
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues Proposal-Hold
Milestone

Comments

@aaslamin
Copy link

aaslamin commented Nov 1, 2019

This proposal is to add support to the crypto/tls package for the new cryptographic protocol, delegated credentials, which will be an extension to TLS. It's currently in the process of being adopted as a standard by the IETF.

Some benefits:

Key protection: rather than deploying the actual private key associated with the certificate that was issued to you by the CA to each server that fronts TLS, one can instead create and issue a delegated credential. This credential can have a much shorter life span than that of the original certificate and one does not need to contact the CA to have it provisioned each time. The client can still verify the chain of trust as the delegated credential is still signed by the certificate obtained by the CA.

Experimentation for new PK algorithms: in addition to the security benefits it provides to protecting keys, it enables for servers to experiment rolling out support for new authentication mechanisms which are tied to the certificate being served. Essentially, the server can try out a new authentication type without altering the certificate the was issued to them by the CA.

Concerns:

  • I am not sure about Go's policy for adding support of draft RFC's to the standard library, although this one seems promising in that it will land? Thoughts?

Cc: @FiloSottile

@gopherbot gopherbot added this to the Proposal milestone Nov 1, 2019
@FiloSottile
Copy link
Contributor

Not an RFC yet, and we never implement drafts. Also, we usually wait until there is wide ecosystem support before implementing things.

Then there are the two fundamental questions: what does a good API for it look like, and are Go deployments going to benefit from this enough to justify the complexity.

@FiloSottile FiloSottile added Proposal-Crypto Proposal related to crypto packages or other security issues Proposal-Hold labels Nov 22, 2019
@aaslamin
Copy link
Author

Sounds good @FiloSottile!

Would love to work on this when the time comes 🙃

@hslatman
Copy link

The RFC is complete now: https://datatracker.ietf.org/doc/rfc9345/

At Cloudflare support for this was added to their fork of Go in cloudflare/go#28.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues Proposal-Hold
Projects
None yet
Development

No branches or pull requests

4 participants