[moxie]

Where Convergence is about changing the way the TLS trust infrastructure works, TACK is about reducing the exposure that a client has to that trust infrastructure.

Currently, your browser is dependent on the CA system for every TLS connection that it makes to a server. The hope for TACK is to reduce your browser's dependence on the CA system to only the first TLS connection that it makes to a server.

At that point, not only do breaches in your trust infrastructure do less damage, but it hopefully becomes easier to solve the problem of transforming the way that trust infrastructure works. This is why most development on Convergence is blocking on TACK.

[StavrosK]

Oh, I didn't realise TACK was your proposal. Now I'm wondering why it wasn't included in TLS in the first place. It sounds very reasonable, but the more valuable (to me, at least) functionality is the ability to have even self-signed certificates be trusted (i.e. what Convergence does). Why is Convergence blocking on TACK, by the way? It sounds like the two would be complementary. Is it just the notary load that is generated when looking up the certificate on every request? Can't that just be cached?