Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security IT

Moxie Marlinspike Proposes New TACK Extension To TLS For Key Pinning 55

Posted by samzenpus from the protect-ya-neck dept.
Trailrunner7 writes "Two independent researchers are proposing an extension for TLS to provide greater trust in certificate authorities, which have become a weak link in the entire public key infrastructure after some big breaches involving fraudulent SSL certificates. TACK, short for Trust Assertions for Certificate Keys, is a dynamically activated public key framework that enables a TLS server to assert the authenticity of its public key. According to an IETF draft submitted by researchers Moxie Marlinspike and Trevor Perrin, a TACK key is used to sign the public key from the TLS server's certificate. Clients can 'pin' a hostname to the TACK key, based on a user's visitation habits, without requiring sites modify their existing certificate chains or limiting a site's ability to deploy or change certificate chains at any time. If the user later encounters a fraudulent certificate on a "pinned" site, the browser will reject the session and send a warning to the user. 'Since TACK pins are based on TACK keys (instead of CA keys), trust in CAs is not required. Additionally, the TACK key may be used to revoke previous TACK signatures (or even itself) in order to handle the compromise of TLS or TACK private keys,' according to the draft."
This discussion has been archived. No new comments can be posted.

Moxie Marlinspike Proposes New TACK Extension To TLS For Key Pinning More

Moxie Marlinspike Proposes New TACK Extension To TLS For Key Pinning

Comments Filter:

  • There has to be a better way (Score:4, Interesting)

    by Anon-Admin ( 443764 ) on Thursday May 24, 2012 @11:50AM (#40100311) Journal

    It seems to me that you could do a p2p certificate authority where a certificates trust is based on the number of people who trust the cert as well as a past history of your trusts.

    So, if historically you trust certs that are frauds then the trust in you is reduced and all certs you trusted are reduced.
    If the opposite is true than the trust in you is higher as is the trust in the certs you have trusted.

  • Re:There has to be a better way (Score:3, Interesting)

    by Anonymous Coward on Thursday May 24, 2012 @11:55AM (#40100351)

    TACK isn't really about replacing CAs, that's more the goal of Moxie's other project, Convergence. To quote Moxie from the IETF TLS list: "While I see a project like Convergence as an attempt to provide increased 'trust agility,' I see TACK as an attempt to reduce the surface for which third party trust is even required. The two types of projects are not incompatible, and in fact the latter simply reduces the amount of work the former needs to do."

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close