The use of Content Delivery Networks (CDNs) has significantly increased over the past decade, with approximately 55 million websites currently relying on CDN services. Emerging solutions, such as Delegated Credentials (RFC 9345), lack fine-grained definitions of many critical aspects of delegation, such as the length of delegation chains, revocation mechanism, permitted operations, and a well-defined scope for said delegation. We present Delegation Certificates (DeCerts), which modify X.509 certificate standard and add new extensions to enable fine-grained CDN delegation. DeCerts allow domain owners to specify delegated and non-delegated subdomains, and control the depth of delegation extended by CDNs, which provides flexibility in delegation management. But more importantly, DeCerts are built on a new principle which provides full autonomy to domain owners-domain owners can issue DeCerts fully independent of Certificate Authorities (CAs), and thus have greater flexibility in policy control, including revocation methods. Such level of flexibility would be hard to match if CAs where to issue such certificates. Revoking a DeCert revokes delegation. We discuss multiple revocation mechanisms for a DeCerts balancing security, performance, and delegator control. We modify Firefox to support DeCert (i.e., proper validation) as a proof-of-concept, and test it to demonstrate the feasibility, compatibility of DeCerts with browsers and TLS/HTTPS protocols. DeCerts enhance the security, scalability, and manageability of CDN delegation, offering a practical solution for Internet services.

翻译：内容分发网络（CDN）的使用在过去十年中显著增长，目前约有5500万个网站依赖CDN服务。新兴解决方案（如委托凭证RFC 9345）缺乏对委托诸多关键方面的细粒度定义，例如委托链长度、撤销机制、允许的操作以及委托的明确定义范围。我们提出了委托证书（DeCerts），该方案通过修改X.509证书标准并添加新扩展来实现细粒度CDN委托。DeCerts允许域名所有者指定可委托与不可委托的子域名，并控制CDN扩展的委托深度，从而为委托管理提供灵活性。但更重要的是，DeCerts基于一项新原则构建，该原则赋予域名所有者完全自主权——域名所有者可完全独立于证书颁发机构（CA）签发DeCerts，因而在策略控制（包括撤销方法）方面具有更高灵活性。若由CA颁发此类证书，则难以实现同等程度的灵活性。撤销DeCert即撤销委托。我们探讨了DeCerts的多种撤销机制，以平衡安全性、性能与委托方控制。作为概念验证，我们修改Firefox以支持DeCert（即实现正确验证），并通过测试证明DeCerts与浏览器及TLS/HTTPS协议的可行性和兼容性。DeCerts增强了CDN委托的安全性、可扩展性与可管理性，为互联网服务提供了实用解决方案。