Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
proposal: crypto/tls: add support for delegated credentials #35311
This proposal is to add support to the
Key protection: rather than deploying the actual private key associated with the certificate that was issued to you by the CA to each server that fronts TLS, one can instead create and issue a delegated credential. This credential can have a much shorter life span than that of the original certificate and one does not need to contact the CA to have it provisioned each time. The client can still verify the chain of trust as the delegated credential is still signed by the certificate obtained by the CA.
Experimentation for new PK algorithms: in addition to the security benefits it provides to protecting keys, it enables for servers to experiment rolling out support for new authentication mechanisms which are tied to the certificate being served. Essentially, the server can try out a new authentication type without altering the certificate the was issued to them by the CA.
Not an RFC yet, and we never implement drafts. Also, we usually wait until there is wide ecosystem support before implementing things.
Then there are the two fundamental questions: what does a good API for it look like, and are Go deployments going to benefit from this enough to justify the complexity.