I'm trying to understand the adversary model in which Delegated Credentials are helpful. It seems like if you weren't going to sign off on a cloud service provider getting a certificate before, you *probably* shouldn't let them have a delegated credential now---but if you were going to do so, *and* you don't believe revocation works (wise!), now you can offer a delegated credential and be safer?
That corresponds to an adversary who can compromise a cloud service and learn the customers' private keys---but can only do so rarely. Now instead of having ~ 1 year of use of your certificate, that adversary has a few days of use of your credential. But if the cloud service is regularly breached, you're as bad off as before (but no worse?) It sounds like the first years of delegated credentials will see them used in tandem with split systems (Lurk, Akamai and Cloudflare's various patented approaches)---then the primary benefit of delegated credentials is lower latency for session establishment. But maybe the idea is to avoid the first circumstance and emphasize that these are for the second case. Authors, can you describe what you have in mind? Thanks, Brian -- Brian Sniffen Akamai Technologies _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
