Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/tls: add support for delegated credentials #35311

aaslamin opened this issue Nov 1, 2019 · 0 comments


Copy link

@aaslamin aaslamin commented Nov 1, 2019

This proposal is to add support to the crypto/tls package for the new cryptographic protocol, delegated credentials, which will be an extension to TLS. It's currently in the process of being adopted as a standard by the IETF.

Some benefits:

Key protection: rather than deploying the actual private key associated with the certificate that was issued to you by the CA to each server that fronts TLS, one can instead create and issue a delegated credential. This credential can have a much shorter life span than that of the original certificate and one does not need to contact the CA to have it provisioned each time. The client can still verify the chain of trust as the delegated credential is still signed by the certificate obtained by the CA.

Experimentation for new PK algorithms: in addition to the security benefits it provides to protecting keys, it enables for servers to experiment rolling out support for new authentication mechanisms which are tied to the certificate being served. Essentially, the server can try out a new authentication type without altering the certificate the was issued to them by the CA.


  • I am not sure about Go's policy for adding support of draft RFC's to the standard library, although this one seems promising in that it will land? Thoughts?

Cc: @FiloSottile

@gopherbot gopherbot added this to the Proposal milestone Nov 1, 2019
@gopherbot gopherbot added the Proposal label Nov 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.