Delegated Credentials for TLS support

[rektide]

Hello. What would be involved with adding Delegated Credentials for TLS support to cfssl? I believe there are two main cases:

1. cfssl issuing a "delegation certificate" to operators, with which they can generate their own delegated credentials
2. cfssl generating a "delegated credential" from a delgation certificate that has been provided by a ca

Some good introductory reading on Delegated Credentials for TLS is available from this fine article; I suspect some folks here may already be familiar with it. ;)

[wbl]

I made an attempt at this in https://github.com/cloudflare/cfssl/pull/953 and see also https://github.com/cloudflare/cfssl/pull/1040. The challenges we ran into were around specifying the policy for the CA when it came to signing with extensions and I don't think we quite got something we were happy with there.

[rektide]

Thank you, & apologies: I did search but did not see or make the connection to Delegated Credentials.