The TLS extension, known as trust assertions for certificate keys (TACK), is a dynamically activated public key framework that enables a TLS server to assert the authenticity of its public key.
“A TACK contains a ‘TACK key’ which is used to sign the public key from the TLS server's certificate. Hostnames can be ‘pinned’ to a TACK key. TLS connections to a pinned hostname require the server to present a TACK containing the pinned key and a corresponding signature over the TLS server's public key”, the researchers explained in a draft paper submitted to the Internet Engineering Task Force (IETF).
“Since TACK pins are based on TACK keys (instead of CA keys), trust in CAs is not required. Additionally, the TACK key may be used to revoke previous TACK signatures (or even itself) in order to handle the compromise of TLS or TACK private keys”, they noted.
TACK is designed to improve trust in digital certificates – trust that was eroded last year when an Iranian hacker known as Comodohacker compromised CAs Comodo and DigiNotar and issued fraudulent certificates. The compromise of DigiNotar led the Dutch government to revoke its root certificates and to the company’s bankruptcy.