

SSL fix flags forged certificates before they're accepted by browsers - abraham
http://arstechnica.com/security/2012/05/ssl-fix-flags-forged-certificates-before-theyre-accepted-by-browsers/

======
idupree
The actual Internet-Draft: <http://tack.io/draft.html>

Unlike Ars, this has the information you need. Each server that implements
this TACK draft has a TACK key at any given time, as well as their usual TLS
key. Conforming clients get sorta-ssh-like key security:

"3.2. Pin life cycle

A TACK client maintains a store of pins for verifying TLS connections. Pins
associate a hostname and a TACK key. When a client sees a new hostname and
TACK key combination, an inactive pin is created. Every subsequent time the
client sees the same pin, the pin is "activated" for a period equal to the
timespan between the first time the pin was seen and the most recent time, up
to a maximum period of 30 days."

