Skip to main content

Delegated Credentials for TLS

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 9345.
Expired & archived
Authors Richard Barnes , Subodh Iyengar , Nick Sullivan , Eric Rescorla
Last updated 2018-05-03 (Latest revision 2017-10-30)
Replaces draft-rescorla-tls-subcerts
RFC stream Internet Engineering Task Force (IETF)
Additional resources Mailing list discussion
Stream WG state WG Document
Associated WG milestone
Sep 2020
Submit "Delegated Credentials for TLS" to the IESG
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Yes
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The organizational separation between the operator of a TLS server and the certificate authority that provides it credentials can cause problems, for example when it comes to reducing the lifetime of certificates or supporting new cryptographic algorithms. This document describes a mechanism to allow TLS server operators to create their own credential delegations without breaking compatibility with clients that do not support this specification.


Richard Barnes
Subodh Iyengar
Nick Sullivan
Eric Rescorla

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)