Enregistré dans:
Détails bibliographiques
Auteurs principaux: Thompson, Ethan, Jahromi, Ali Sadeghi, Abdou, AbdelRahman
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2510.09983
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866912642517434368
author Thompson, Ethan
Jahromi, Ali Sadeghi
Abdou, AbdelRahman
author_facet Thompson, Ethan
Jahromi, Ali Sadeghi
Abdou, AbdelRahman
contents The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.
format Preprint
id arxiv_https___arxiv_org_abs_2510_09983
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Fine-grained CDN Delegation
Thompson, Ethan
Jahromi, Ali Sadeghi
Abdou, AbdelRahman
Networking and Internet Architecture
The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.
title Fine-grained CDN Delegation
topic Networking and Internet Architecture
url https://arxiv.org/abs/2510.09983