|
|
|
|
|
|
by breser
2422 days ago
|
|
|
All this is doing is allowing the server (or client since the protocol allows client certificates to do the same thing) to use a different key pair with a shorter validity period than the CA signed certificate. The delegated credential is not another cerificate and doesn't have a DNS name in it at all. The original certificate who's private key was used to create the delegated credential still has that information and the client still gets that. The delegated credential only consists of four pieces of information: validity interval, public key, signature algorithm and signature. I.E. just enough information to provide the public key and verify it is signed by the CA signed certificate. RFC is here if you want to read the details:
https://tools.ietf.org/html/draft-ietf-tls-subcerts-04 |
|
|