Add delegated credentials, as seen in #26

[claucece]

For #26

[armfazh]

Some general comments. @claucece

[claucece]

thanks @armfazh for the review! This is still WIP and has still some todos, so there is lots of errors. I'll assign you and @bwesterb once it is ready for review ;)

[armfazh]

This is still WIP and has still some todos, so there is lots of errors.

Yes, we are iterating in this codebase, and happy to review as many times as needed.

[claucece]

Yes, we are iterating in this codebase, and happy to review as many times as needed.

Oh, perfect! Every now and then when I finish a task of the issue, I'll mark it for review ;) Thanks so much!

[thomwiggers]

this should probably be rebased on the cf branch, because right now the diff is enormous

[claucece]

@thomwiggers the idea to have a separate branch is to be able to integrate to golang (which won't integrate probably the KEM TLS exp): that is why it differs from the cf branch.

[claucece]

@bwesterb @armfazh @chris-wood ready for review as a first version. I might add some refactors and other ideas in the mean time; but should we good now. Sorry for opening and closing it as a draft but I had some conflicts with go1.15

[claucece]

@bwesterb @armfazh Please, review until commit 8946da6

I'll add some more refactors, and some more functionality for the client; but I wanted you to check the overall work until that point ;)

[armfazh]

few comments

[bwesterb]

I'm not intimately familiar with the Go Tls implementation nor with delegated credentials, so this "approve" should be read as a "I didn't see anything fishy". Looks good, well documented.

[Lekensteyn]

Initial (partial) review, I have yet to look at delegated_credentials.go and delegated_credentials_test.go

[chris-wood]

This is looking good! I left some comments for areas and things that might warrant further investigation. Please let me know if anything is not clear. :-)

[cjpatton]

First round! Some high level things:

1. Unless there's a good reason to keep it, I think the GetDelegatedCredential callback should be replaced with a list of DCs. See inline comment for details.
2. Can you modify the package comment at the top of tls.go to document the fact that this package implements draft-ietf-tls-subcerts-09?
3. Please make sure all comments are wrapped at 80 characters.
4. For data serialization, use "golang.org/x/crypto/cryptobyte". This make the code much easier to read and verify.
5. Please remove any empty lines you added and add back any you removed. One of our goals for this repo is to minimize differences with upstream Go wherever possible

[claucece]

Hi @cjpatton ! Thanks for this! I'll only solve this week the small comments, as any large change will likely break the code of kem-tls needed for Friday. Thanks!

[cjpatton]

Rebased.

[wbl]

A few comments that need addressing first

[cjpatton]

Last round for me. Just minor comments left.

[cjpatton]

I'm good with whichever way you land here. (Consider this comment non-blocking.)

[cjpatton]

Unrequesting changes in order to unblock merge :)

[claucece]

Closing this, as it will only be experimental.

[cjpatton]

Rebased. Merging as-is, with existing approvals. Note that future changes to crypto/tls and crypto/x509 will need approval from the respective codeowners.