

TACK: "pinning" certs to a self-chosen signing key, complements/replaces CAs - JulianMorrison
http://tack.io/draft.html

======
lomnakkus
IMO this is exactly the kind of thing we need right now -- iterative change
for the better instead of coming up with yet another "let's just reset the
Internet" plan.

I realize that there are limitations to this kind of evolutionary plan --
namely only achieving local maxima -- but for now it seems to be the best way
forward. As opposed to natural evolution we can still choose at a later date
(perhaps at greater overall cost) to go for a completely different scheme if
we deem it necessary/justified.

EDIT: s/additive/iterative/

------
y0ghur7_xxx
TACK needs Browser support ASAP. It's around since over a year and it seems
dead... I hope Chrome and Firefox pick it up soon.

------
ikawe
See my question from yesterday: How does something like Tack fare in a mass
certificate revocation scenario like Heartbleed:
[https://news.ycombinator.com/item?id=7554302](https://news.ycombinator.com/item?id=7554302)

~~~
xyzzy123
You handle it in the same way you handle rolling new certificates with TACK.
No panic.

You just update your web servers with new TACK signatures corresponding to
your new certs.

------
JulianMorrison
Hat tip to tptacek
[https://news.ycombinator.com/item?id=7562185](https://news.ycombinator.com/item?id=7562185)

------
pornel
It seems like a great idea, so what is holding it back?

~~~
moxie
Browser support. We've got major internet sites on board waiting to deploy it,
but despite some early indications of support, the browsers have not been
forthcoming. We even tried writing the code for them, but to little avail.

My sense is that Google is all-in on Certificate Transparency right now, and
doesn't want anything to distract from that. However, I think a successful CT
deployment is a long time coming still, and TACK could have been out two years
ago. My sense is that Mozilla is just understaffed and/or waiting to follow
Google's lead in this area.

Ultimately, this is the frustrating thing about trying to improve the state of
secure communication today. Most of the levers are in the hands of the browser
vendors, which makes it difficult for those of us on the outside to help
iterate things forward.

~~~
briansmith
You can see the CT peoples' comparison of CT to other technologies here:
[http://www.certificate-transparency.org/comparison](http://www.certificate-
transparency.org/comparison)

One serious concern I see about TACK from the browser's perspective is the
support burden of dealing with server admins' lost TACK keys. HPKP has similar
risks, but it seems to manage this risk in a way that is more comfortable for
browsers to deal with. However, I also think that at least at Mozilla we've
become more worried about the risks of HPKP than we were originally, and so
there are plans to build the same kind of mechanism for dealing with DoS due
to HPKP that a browser would need to build for TACK. It may be too late to get
browsers to do TACK because they seem pretty committed to HPKP already and it
is harder to convince them to do both. However, if you still want to try then
I'd suggest presenting more clearly how browsers could deal with the "I lost
my TACK key" scenerio.

The other major negative thing about TACK is that it requires the server admin
to do work that can't be automated in a way that is reasonable (because the
TACK key should not live on the web server). HPKP leaves more of an open door
for future web servers to automatically apply it automatically (e.g. by
generating pins for the end-entity, intermediates, and root keys in the chain,
on the assumption that the server admin will never lose control of the private
key of the end-entity at the same time he/she needs to switch CAs) or with
very simplified UI.

------
jokoon
This is the first step towards a more secure internet, but that won't solve
anything.

I think countries need to build up independent, public groups of computer
experts who can actively work at approving softwares and security protocols
and infrastructures. Something like the FDA for internet security. Don't know
if it's impossible or not, but there isn't anything official about internet
security in the world yet, apart from universities and the AES algorithm.

