[NateLawson]

All of these are good recommendations.

Another technology to start preparing for is TACK. It allows you, the server owner, to control browser pinning of your certs while maintaining CA mobility. This gives you the control over your security that Google has over Gmail via Chrome cert pinning without having to issue a new browser build every time you change CAs.

One way to think of it is like a domain transfer lock but with cryptography. You control how you unlock your pin to allow mobility to a new CA by sticking a signed file on your SSL server.

http://tack.io/

[Disclosure: one of the authors of TACK is a former co-worker.]

[justauser]

I see Moxie is one of the authors on the draft. Is this an outgrowth/pivot of Convergence?

[moxie]

The way I see the relationship between Convergence and TACK is that Convergence is trying to provide trust agility for when we need to trust third parties, while TACK is trying to reduce the amount that we even need to trust a third party at all.

I think the first problem gets considerably easier to solve once the latter is in place, and there's a lot we could do with Convergence-like systems that would make them more deployable if TACK is adopted.

In the short term, however, TACK stands on its own, and we hope it's a fairly uncontroversial proposal that will be easy to integrate into the ecosystem.

[tptacek]

Moxie Marlinspike works for Twitter now that they've acquired Whisper. TACK addresses the same problem as Convergence, but is a much more tactical and incremental feature.