Two researchers have prepared a draft standard for the Internet Engineering Task Force to help extend the trust of SSL certificates. The approach is Trust Assertions for Certificate Keys, or TACK, and was prepared by Trevor Perrin and Moxie Marlinspike.
TACK is an SSL extension that enables a Web server to assert the authenticity of its public key. A TACK contains a “TACK key” that is used to sign the public key from the Web server’s certificate. Hostnames can be “pinned” to a TACK key. Connections to a pinned hostname require the server to present a TACK containing the pinned key and a corresponding signature over the web server’s public key.
Pinning is used to eliminate the chance that more than one CA issues a certificate for the same address. The big issue is that one of those certificates may be fraudulent; similar to what happened last year with the DigiNotar CA.
The DigiNotar incident was caught using public key pinning. This was accomplished because Google added pinning in Chrome so that Google certificates could only be issued from a few CAs. When the DigiNotar attacked occurred, a Chrome user noticed and reported the issue. The problem with pinning is that it is not scalable for all Internet sites.
The TACK approach seems like a reasonable approach that may scale better than pinning. Code changes would be required on both servers and clients, so it would take some time to be deployed.
The draft makes a statement that “Since TACK pins are based on TACK keys (instead of CA keys), trust in CAs is not required.” Not quite right as Internet trust is based on two components. The communication between two parties is secure and you know who you are communicating with. It’s the CAs who addresses the second part. It is the CA that verifies that the owner of the domain name was issued the SSL certificate. TACK does not address this issue.
Nevertheless, TACK looks like a good step forward in the security of the Web.