Fine-grained CDN Delegation

The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.