[jcase]

Sounds very similar to Convergence. In fact, it turns out that "Convergence is based on previous work from the Perspectives Project at Carnegie Mellon University".[0] I don't think this (or Convergence) will see widespread adoption though. For now, public key pinning (e.g. Tack.io) seems like the best way forward.

For what it's worth, many CA's are trying to raise the bar by way of the CA/Browser Forum.[1] The public mailing list is quite interesting at times.

[0] https://en.wikipedia.org/wiki/Convergence_(SSL)#Background

[1] https://www.cabforum.org

[dfc]

I tried to figure out the difference between Convergence and Perspectives but I ended up getting frustrated and gave up. If anyone knows the differences please speak up.

[moxie]

The detailed explanation is in this BlackHat talk where I introduced Convergence: http://www.youtube.com/watch?v=Z7Wl2FW2TcA

[windexh8er]

Is it still maintained? I used to use it but it didn't seem like it tracked well with FF updates. Just tried on 22 and doesn't seem to work correctly anymore. Bummer. :(

[dfc]

Thanks! Youtube videos are my research blindspot.

[StavrosK]

Ugh, Tack looks interesting but provides no quick, high-level overview. Do you mind explaining how the initial key bootstrapping happens?

[pudquick]

The relevant bit of information you're looking for is this part of the standard:

"Sharing pin information:

It is possible for a client to maintain a pin store based entirely on its own TLS connections. However, such a client runs the risk of creating incorrect pins, failing to keep its pins active, or failing to receive min_generation updates. Clients are advised to make use of 3rd-party trust infrastructure so that pin data can be aggregated and shared. This will require additional protocols outside the scope of this document."

All that TACK does on its own without an external "trusted source" for pinned keys is provide a mechanism for a client to ask a site "Do you have a pinnable key?" and then compare / track that over time to determine if the TLS connection has changed vs. what was expected.

As a hypothetical, if your client starts with zero knowledge of a site, the best TACK can do is tell you, over time, "Yes, this is the same TLS key." It cannot, on its own, tell you "You should trust this key." It simply tells you "You can trust this connection has/hasn't changed" and "This site would like to you consider this key pinned".

The part where it removes the dependency on a CA is where the standard says that a client may validate the signature chain of a pinned key but that it is not required to do so.

Chrome pins certain keys from Google and a few other third parties in the client itself. The TACK proposal basically adds a mechanism for dynamic pinning with an optional (and recommended) additional mechanism for gathering trusted pinned certificate lists (without specifying how to do this part).

[StavrosK]

Ah, thanks. Tack isn't a replacement for (or comparable to) Convergence, as the latter also tells you that you can trust a site, since its key has been the same for X months, even if you've never seen it before.

Unfortunately, Convergence has the disadvantage of relying on central servers, which have to be maintained by someone.

[moxie]

Where Convergence is about changing the way the TLS trust infrastructure works, TACK is about reducing the exposure that a client has to that trust infrastructure.

Currently, your browser is dependent on the CA system for every TLS connection that it makes to a server. The hope for TACK is to reduce your browser's dependence on the CA system to only the first TLS connection that it makes to a server.

At that point, not only do breaches in your trust infrastructure do less damage, but it hopefully becomes easier to solve the problem of transforming the way that trust infrastructure works. This is why most development on Convergence is blocking on TACK.

[StavrosK]

Oh, I didn't realise TACK was your proposal. Now I'm wondering why it wasn't included in TLS in the first place. It sounds very reasonable, but the more valuable (to me, at least) functionality is the ability to have even self-signed certificates be trusted (i.e. what Convergence does). Why is Convergence blocking on TACK, by the way? It sounds like the two would be complementary. Is it just the notary load that is generated when looking up the certificate on every request? Can't that just be cached?