The new extension can also be useful for sites powered by a large distributed infrastructure with a large number of load balancers. Delegated Credentials will avoid storing copies of the private keys of the main certificates on each content delivery site. With the classical approach, a successful attack on any of the servers involved in the return of HTTPS traffic will lead to the compromise of the entire certificate. In the case of transferring private keys to content delivery networks, there are threats of data leakage as a result of sabotage by personnel, actions of intelligence agencies, or compromise of the CDN infrastructure.
If the leak of the keys goes unnoticed, those who have access to the keys will be able to quietly wedge themselves into the site traffic (MITM) for quite a long time, since the certificates are valid for months and years. In Cloudflare, to protect certificate keys, they can
The proposed TLS extension Delegated Credentials introduces an additional intermediate private key, the validity of which is limited to hours or several days (no more than 7 days). This key is generated based on the certificate issued by the certification authority and allows you to keep the private key of the original certificate secret from content delivery services, providing them with only a temporary certificate with a short lifetime.
In order to avoid problems with access after the expiration of the intermediate key lifetime, an automatic update technology is provided, which is performed on the side of the original TLS server. Generation does not require manual operations or running scripts - an authorized server that requires a private key, before the expiration of the lifetime of the previous key, accesses the site's original TLS server and it generates an intermediate key for the next short period of time.
Browsers that support the Delegated Credentials TLS extension will treat such derived certificates as trustworthy. For example, support for this extension has already been added to Firefox nightly and beta builds and can be enabled in about:config by changing the "security.tls.enable_delegated_credentials" setting. In mid-November, among a certain percentage of users of test versions of Firefox, it is also planned to conduct an experiment "
The Delegated Credentials specification has been submitted to the IETF (Internet Engineering Task Force) committee that develops the protocols and architecture of the Internet, and is at the stage
To generate intermediate keys, you need to obtain a TLS certificate that includes a special X.509 extension, which is currently only supported by the DigiCert certification authority.
Source: opennet.ru