Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fine-grained CDN Delegation

Ethan Thompson, Ali Sadeghi Jahromi, AbdelRahman Abdou

TL;DR

This work tackles the lack of fine-grained CDN delegation in the current web PKI by introducing Delegation Certificates (DeCerts), an X.509 extension that lets domain owners precisely control which subdomains a CDN may serve, how deep delegation can extend, and how revocation is handled. DeCerts are issued by the domain owner and bound to the domain via a new Delegation Info extension, enabling explicit, revocable, and transparent delegation without requiring CA changes; short lifetimes further support efficient revocation. The authors implement a Firefox proof-of-concept and compare DeCert against Delegated Credentials, Proxy Certificates, and Name Constraints, showing that DeCert achieves design goals such as fine-grained scope, delegation chains, and browser transparency while minimizing changes to TLS and PKI infrastructure. The approach promises improved security, scalability, and management of CDN delegation, with practical deployability and potential to enable new Internet services and subcontracted web operations.

Abstract

The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.

Fine-grained CDN Delegation

TL;DR

This work tackles the lack of fine-grained CDN delegation in the current web PKI by introducing Delegation Certificates (DeCerts), an X.509 extension that lets domain owners precisely control which subdomains a CDN may serve, how deep delegation can extend, and how revocation is handled. DeCerts are issued by the domain owner and bound to the domain via a new Delegation Info extension, enabling explicit, revocable, and transparent delegation without requiring CA changes; short lifetimes further support efficient revocation. The authors implement a Firefox proof-of-concept and compare DeCert against Delegated Credentials, Proxy Certificates, and Name Constraints, showing that DeCert achieves design goals such as fine-grained scope, delegation chains, and browser transparency while minimizing changes to TLS and PKI infrastructure. The approach promises improved security, scalability, and management of CDN delegation, with practical deployability and potential to enable new Internet services and subcontracted web operations.

Abstract

The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.

Paper Structure

This paper contains 28 sections, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Routing
  4. Authentication
  5. Related Work
  6. Standardized Mechanisms
  7. Deployed Practices
  8. Other Adaptable Schemes
  9. Threat Model and Design Goals
  10. Design Goals for *CDN Delegation
  11. Threat Model
  12. Attacks
  13. Delegation Certificates
  14. Delegation Scoping
  15. Delegation Chains
  16. ...and 13 more sections

Figures (1)

  • Figure 2: DeCert and common forms of invalid delegation