*Summary*: Last year, we announced <https://groups.google.com/forum/#!topic/mozilla.dev.platform/NupI0zbdd2U> intent to implement Delegated Credentials for TLS 1.3. This extension allows server operators to delegate the authority of an end-entity certificate to a short-lived “sub-certificate”, which uses a separate keypair and inherits both scope and limitations from the issuing certificate. This enables more frequent key rotation and stronger protections on the end-entity private key. It also streamlines the process for experimenting with, and incorporating new signing algorithms into TLS.
Since the original announcement, we’ve landed the implementation and run a breakage study in Nightly with positive results. We now intend to enable this feature for pre-release channels, starting in Nightly 78. As the specification is still in late draft, this will apply only to Nightly for the time being, and we will follow-up to this thread before enabling it in Beta. Once RFC status is reached, our intention is to let the feature ride the trains to release, and again we will update this thread. Further details on the Delegated Credentials extension can be found in the specification linked below. *Bug*: <https://bugzilla.mozilla.org/show_bug.cgi?id=1540403> https://bugzilla.mozilla.org/show_bug.cgi?id=1624378 *Link to standard*: https://tools.ietf.org/html/draft-ietf-tls-subcerts-07 *Platform coverage*: All platforms *Estimated target release*: To Be Determined *Preference behind which this will be implemented*: This is controlled via the security.tls.enable_delegated_credentials pref. Thanks, Kevin _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform