The Delegated Credentials mechanism decentralizes the problem by allowing a TLS server to issue short-lived authentication credentials (with a validity period of no longer than 7 days) that are cryptographically bound to a CA-issued certificate. These short-lived credentials then serve as the authentication keys in a regular TLS 1.3 connection between a Firefox client and a CDN edge server situated in a low-trust zone (where the risk of compromise might be higher than usual and perhaps go undetected). This way, performance isn’t hindered and the compromise window is limited.

Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called "Delegated Credentials for TLS."

Delegated Credentials for TLS is a new simplified way to implement "short-lived" certificates without sacrificing the reliability of secure connections.

In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.

To enable the secure TLS and having it to have short-lived certificate, you have to go:

about:config

Type in Search bar ' TLS '.

Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS ( especially true for TLS 1.3 ) that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly.

Find Enable 0RTT Data and make sure it is ' True ' for enabled hence this will ensure amounts of bounce back skipping Hello procedure and get encrypted credentials instead,

security.tls.enable_0rtt_data

Find Delegated Credentails for TLS by name and make sure it is ' True ' hence this will ensure validation of the credentials that are issued short-lived

security.tls.enable_delegated_credentials

Activate it by changing it from 'False' to 'True'. You now will have short-lived certificate.

Find Enable Post Handshake authentication hence this will ensure your maintained secure connection, at times it only means that your SSL encryption needs to be looked over and see the one's you deactivated can be activated hence there are at a low encryption and not accepting established tried connection when it did not met your requirement or your TLS minimum and maximum including fallback needs to be changed in order to meet with such low encryption because it is an server with outsourced SSL encryption and not TLS encryption, example SSL 1.0 or SSL 2.0 ( or example latest Windows 10 version 1909 support only SSL 3.0) - example dumpscreen from Use TLS 1.2 or TLS 1.3 can be seen.

security.tls.enable_post_handshake_auth

Find TLS Hello Downgrade check and make sure to deactivate it hence your online surfing does not need encryption downgrade when the site you try to visit uses low grade encryption hence this can ultimately also be used as downgrade attack ie. using low encryption attack and don't accept it hence it will send Hello bounces when in fact this is waste of network bounces just to get tls queries.

On Firefox 72.0 it changed as default Active (True), please change it to False (Deactivated Boolean)

security.tls.hello_downgrade_check

Mozilla Firefox 70.0.1 published to general public 22.10.2019 (still true also for 71.0 published 03.12.2019 ) comes with Delegated Credentials for TLS, but this is deactivated by default. Now it is not available with smartphone Firefox Browser version 68.2.0, but you can add this by pressing '+' (plus) as an Boolean as you can see above image, but I don't have knowledge if this will function as it should. Trying out myself and it hasn't been removed after it, but will remove itself if 'Reset' is pressed, so, it comes as not included, and there are no verification if it functions.