Hi TLS (cc websec), There's a new TACK draft: http://tools.ietf.org/html/draft-perrin-tls-tack-01
You can find code and other resources at http://tack.io We'd love to get feedback or answer questions. We'd also appreciate advice on whether this should remain an individual submission or would make sense as a WG document. Changes -------- The main change is that we removed break signatures. Instead, servers may optionally publish a second tack. Clients can form two pins for a hostname. These changes let a server publish tacks from a new TACK key prior to deactivating and removing the old key's tacks. This "rollover" is a better way to handle a compromised or suspect TACK key because it preserves any security offered by the old key while the new one is being introduced. Other changes: * Rewrote "Client processing" to improve clarity. * Renamed "TACK" structure to "tack" "TACK_Extension" to "TackExtension" "pin_activation" field to "activation_flags" "TACK ID" to "key fingerprint" * Simplified error alerts sent by clients (and aligned with RFC 5878) * Deleted old section "6.2 Application-specific pinning", which was too vague to be useful. Added new 6.1 and 6.2 discussing considerations with different application protocols. * Changed server_name extension in ClientHello from SHOULD to SHALL. * Tweaked the Advice for Server Operators (8.1) regarding Tack expiration. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
