Trust Assertions for Certificate Keys

37 |

38 | 39 | 40 | Traditionally, a TLS client verifies a TLS server's public key using a 41 | certificate chain issued by some public CA. "Pinning" is a way for clients to 42 | obtain increased certainty in server public keys. Clients that employ pinning 43 | check for some constant "pinned" element of the TLS connection when 44 | contacting a particular TLS host. 45 | 46 | 47 | 48 | Unfortunately, a number of problems arise when attempting to pin certificate 49 | chains: the TLS servers at a given hostname may have different certificate 50 | chains simultaneously deployed and may change their chains at any time, the 51 | "more constant" elements of a chain (the CAs) may not be trustworthy, and the 52 | client may be oblivious to key compromise events which render the pinned data 53 | untrustworthy. 54 | 55 | 56 | 57 | 58 | 59 | TACK addresses these problems by having the site sign its TLS server public 60 | keys with a "TACK key". This enables clients to "pin" a hostname to the TACK 61 | key without requiring sites to modify their existing certificate chains, and 62 | without limiting a site's flexibility to deploy different certificate chains 63 | on different servers or change certificate chains at any time. Since TACK pins 64 | are based on TACK keys (instead of CA keys), trust in CAs is not required. 65 | Additionally, the TACK key may be used to revoke previous TACK signatures (or 66 | even itself) in order to handle the compromise of TLS or TACK private keys. 67 | 68 | 69 | 70 | 71 | If requested, a compliant server will send a TLS Extension containing its 72 | "TACK". Inside the TACK is a public key and signature. Once a client has seen 73 | the same (hostname, TACK public key) pair multiple times, the client will 74 | "activate" a pin between the hostname and TACK key for a period equal to the 75 | length of time the pair has been observed for. This "pin activation" process 76 | limits the impact of bad pins resulting from transient network attacks or 77 | operator error. 78 | 79 | 80 | 81 | 82 | TACK pins are easily shared between clients. For example, a TACK client 83 | may scan the internet to discover TACK pins, then publish these pins for other 84 | clients to rely upon. 85 | 86 | 87 |

88 | 89 | 90 |

The key words "MUST", 91 | "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", 92 | "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as 93 | described in . 94 |

95 | 96 |

97 | 98 |

99 | 100 | A server operator using TACK may perform several processes: 101 | 102 | 103 | 104 | 105 | The server operator first chooses the ECDSA signing key to use for a set of 106 | hostnames. It is safest to use a different signing key for each hostname, 107 | though a signing key may be reused for closely-related hostnames (such as 108 | aliases for the same host, or hosts sharing the same TLS key). 109 | 110 | 111 | 112 | 113 | The TACK private key is then used to sign the TLS public keys for all servers 114 | associated with those hostnames. The TACK public key and signature are 115 | combined with some metadata into each server's "TACK". 116 | 117 | 118 | 119 | 120 | For each hostname, TACKs are deployed to TLS servers in a two-stage process. 121 | First, each TLS server associated with the hostname is given a TACK. Once this 122 | is completed, pin activation is enabled on the servers. 123 | 124 | 125 | 126 | 127 | 128 | A TACK needs to be replaced whenever a server changes its TLS public key, or 129 | when the TACK expires. TACKs may also need to be replaced with 130 | later-generation TACKs if the TACK key's "min_generation" is updated (see 131 | next). 132 | 133 | 134 | 135 | 136 | If a TLS private key is compromised, the TACKs signing this key can be revoked by 137 | publishing a new TACK containing a higher "min_generation". 138 | 139 | 140 | 141 | 142 | If a TACK private key is compromised, or a server operator wishes to stop using 143 | TACK or abruptly change its TACK key for any reason, a server can revoke an entire 144 | TACK key (including all TACKs and pins referring to it) by publishing a "break 145 | signature". 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 |

154 | 155 |

156 | 157 | 158 | 159 | A TACK client maintains a store of pins for verifying TLS connections. Pins 160 | associate a hostname and a TACK key. When a client sees a new hostname and 161 | TACK key combination, an inactive pin is created. Every subsequent time the 162 | client sees the same pin, the pin is "activated" for a period equal to the 163 | timespan between the first time the pin was seen and the most recent time, up 164 | to a maximum period of 30 days. 165 | 166 | 167 | 168 | 169 | Pin activation prevents an attacker with short-lived control of the hostname 170 | from activating long-lived pins. It also makes it safer for sites to 171 | experiment with TACKs, as a new TACK can be discarded without causing 172 | long-lived problems. The 30 day limit guarantees that a worst-case pin can be 173 | recovered from in reasonable time. 174 | 175 | 176 | 177 | 178 | In addition to creating and activating pins, a TLS connection can alter the 179 | clients's pin store by publishing revocation data: 181 | 182 | Each pin stores the highest "min_generation" value it has seen from the pinned 183 | TACK key, and rejects TACKs from earlier generations. 184 | 185 | 186 | 187 | 188 | 189 | A TLS handshake may send break signatures which cause all pins for the 190 | broken key to be discarded. 191 | 192 | 193 | 194 | 195 | 196 |

197 |

198 | 199 |

200 |

201 | 202 | 203 | A new TLS ExtensionType ("tack") is defined and MAY be included by a TLS 204 | client in the ClientHello message defined in . 205 | 206 | 207 |

208 | enum {tack(TBD), (65535)} ExtensionType; 209 | 210 | 211 | 212 | The "extension_data" field of this ClientHello SHALL be empty. A TLS server 213 | which is not resuming a TLS session MAY respond with an extension of type 214 | "tack" in the ServerHello. The "extension_data" field of this ServerHello 215 | SHALL contain a "TACK_Extension", as defined below using the TLS presentation 216 | language from . 217 | 218 | 219 |

220 | enum (disabled(0), enabled(1)} TACK_Activation; 221 | 222 | struct { 223 | opaque public_key[64]; 224 | uint8 min_generation; 225 | uint8 generation; 226 | uint32 expiration; 227 | opaque target_hash[32]; 228 | opaque signature[64]; 229 | } TACK; /* 166 bytes */ 230 | 231 | struct { 232 | opaque public_key[64]; 233 | opaque signature[64]; 234 | } TACK_Break_Sig; /* 128 bytes */ 235 | 236 | struct { 237 | TACK tack<0...166> /* 0 or 1 TACK */ 238 | TACK_Break_Sig break_sigs<0...1024> /* 0...8 Break Sigs */ 239 | TACK_Activation pin_activation; 240 | } TACK_Extension; 241 | 242 | 243 | 244 | 245 | 246 | 247 |

248 |

249 | 250 |

251 | 252 | 253 | 254 | 255 | 256 | This field specifies the TACK's public key. The field contains a pair 257 | of integers (x, y) representing a point on the elliptic curve P-256 defined in 258 | . Each integer is encoded as a 32-byte octet string 259 | using the Integer-to-Octet-String algorithm from , and 260 | these strings are concatenated with the x value first. (NOTE: This is 261 | equivalent to an uncompressed subjectPublicKey from , 262 | except that the initial 0x04 byte is omitted). 263 | 264 | 265 | 266 | 267 | 268 | This field publishes a min_generation value. 269 | 270 | 271 | 272 | 273 | 274 | This field assigns each TACK a generation. Generations less than a published 275 | min_generation are considered revoked. 276 | 277 | 278 | 279 | 280 | 281 | This field specifies a time after which the TACK is considered expired. The 282 | time is encoded as the number of minutes, excluding leap seconds, after 283 | midnight UTC, January 1 1970. 284 | 285 | 286 | 287 | This field is a hash of the TLS server's SubjectPublicKeyInfo using the SHA256 algorithm from . 289 | The SubjectPublicKeyInfo is typically conveyed as part of the server's X.509 290 | certificate. 291 | 292 | 293 | 294 | 295 | 296 | This field is an ECDSA signature by the TACK's public key over the 8 byte 297 | ASCII string "tack_sig" followed by the contents of the TACK prior to the 298 | "signature" field (i.e. the preceding 102 bytes). The field contains a pair of 299 | integers (r, s) representing an ECDSA signature as defined in , using curve P-256 and SHA256. Each integer is encoded as 301 | a 32-byte octet string using the Integer-to-Octet-String algorithm from , and these strings are concatenated with the r value first. 303 | 304 | 305 | 306 | 307 |

308 | 309 |

310 | 311 | 312 | 313 | 314 | 315 | This field specifies the TACK key being broken. The key is encoded as per 316 | TACK.public_key. 317 | 318 | 319 | 320 | 321 | 322 | This field is an ECDSA signature by the TACK_Break_Sig's public key over the 323 | 14 byte ASCII string "tack_break_sig". The field contains a pair of integers 324 | (r, s) representing an ECDSA signature as defined in , using curve P-256 and SHA256. It is calculated and 326 | encoded as per TACK.signature. 327 | 328 | 329 | 330 | 331 | 332 | 333 |

334 | 335 |

336 | 337 | 338 | 339 | 340 | 341 | This field provides the server's TACK. It MAY be empty, or MAY contain a TACK. 342 | 343 | 344 | 345 | 346 | This field provides break signatures. It MAY be empty, or MAY contain up to 8 347 | break signatures. 348 | 349 | 350 | 351 | 352 | If pin activation is enabled, then the TACK_Extension MAY be used by clients 353 | to activate or extend the activation of TACK pins. This field is typically 354 | toggled from a disabled to an enabled state once TACKs have been deployed to 355 | all TLS servers for a hostname. 356 | 357 | 358 | 359 | Note that both the "tack" and "break_sigs" fields MAY be empty. 360 | 361 |

362 | 363 |

364 |

365 | 366 |

367 |

368 | 369 | 370 | 371 | A client supporting TACK SHALL have a local store of pins, consisting of "key 372 | records" and "name records". Each name record is associated with a key record. 373 | Multiple name records MAY be associated with one key record. A "pin" refers to 374 | a (name record, key record) pair. 375 | 376 | 377 | 378 | 379 | A "key record" contains: 380 | 381 | 382 | 383 | 384 | TACK public key (or hash): A public key or a cryptographically-secure, second 385 | preimage-resistant hash of a public key. A client SHALL NOT store multiple key 386 | records referencing the same key. 387 | 388 | 389 | 390 | 391 | Min_generation: A single byte used to detect revoked TACKs. 392 | 393 | 394 | 395 | 396 | 397 | 398 | A "name record" contains: 399 | 400 | 401 | 402 | 403 | 404 | Name: A fully qualified DNS hostname. A client SHALL NOT store multiple name 405 | records with the same name. The TLS server's hostname is considered the 406 | "relevant name", and a pin whose name exactly matches the relevant name is 407 | considered a "relevant pin". 408 | 409 | 410 | 411 | 412 | Initial timestamp: A timestamp noting when this pin was created. 413 | 414 | 415 | 416 | 417 | Active period end: Empty or a timestamp. If empty or set to a time in the 418 | past, the pin is "inactive". If set to a future time, the pin is "active" 419 | until that time. 420 | 421 | 422 | 423 | 424 | 425 | 426 |

427 | 428 |

429 | 430 | 431 | 432 | A TACK client SHALL send the "tack" extension defined previously, as well as 433 | the "server_name" extension from indicating the 434 | hostname the client is contacting. If not resuming a session, the server MAY 435 | respond with a TACK_Extension. A TACK client SHALL perform the following steps 436 | prior to using a non-resumed connection: 437 | 438 | 439 | Check whether the TLS handshake is "well-formed". 440 | Check the TACK generation and update min_generation. 441 | Check whether the TACK is expired. 442 | Create and activate pins (optional). 443 | Discard pins based on break signatures. 444 | 445 | 446 | These steps SHALL be performed in order. If there is any error, the client 447 | SHALL send a fatal error alert and close the connection, skipping the 448 | remaining steps (see for details). 449 | 450 | 451 | 452 | 453 | 454 | After the above steps, if there is a relevant active pin and a TACK whose key 455 | is referenced by the pin, then the connection is "accepted" by the pin. If 456 | there is a relevant active pin but no such TACK, the connection is "rejected" 457 | by the pin. If there is no relevant active pin, the connection is "unpinned". 458 | 459 | 460 | A rejected connection might indicate a network attack. If the connection 461 | is rejected the client SHOULD send a fatal "access_denied" error alert and 462 | close the connection. 463 | 464 | A client MAY perform additional verification steps before using an 465 | accepted or unpinned connection. See for an 466 | example. 467 | 468 |

469 | 470 |

472 | 473 | 474 | 475 | A TLS handshake is "well-formed" if the following are true (the error alert to 476 | be sent on a failure is indicated in parentheses): 477 | 478 | 479 | 480 | The handshake protocol negotiates a cryptographically secure ciphersuite 481 | and finishes succesfully (else see ). 482 | 483 | The handshake contains either no TACK_Extension or a syntactically-valid 484 | TACK_Extension (else "decode_error"). 485 | 486 | If break signatures are present, the signatures are correct (else 487 | "decrypt_error"). This step is optional, as break signature verification MAY 488 | be deferred till later. 489 | 490 | If a TACK is present, it is "well-formed" by the rules below. 491 | 492 | 493 | 494 | 495 | 496 | A TACK is "well-formed" if: 497 | 498 | 499 | "public_key" is a valid elliptic curve public key on the curve P-256 (else 500 | "decrypt_error"). 501 | 502 | "generation" is >= "min_generation" (else "decode_error"). 503 | 504 | "target_hash" is equal to the SHA256 hash of the server's 505 | SubjectPublicKeyInfo (else "illegal_parameter"). 506 | 507 | "signature" is a correct ECDSA signature (else "decrypt_error"). 508 | 509 | 510 | 511 |

512 | 513 |

514 | 515 | 516 | If there is a TACK and a key record referencing the TACK key, and the TACK's 517 | generation is less than the key record's min_generation, then the TACK is 518 | revoked and the client SHALL send the "certificate_revoked" alert and close 519 | the connection. 520 | 521 | 522 | Otherwise, if there is a TACK and a key record referencing the TACK key, 523 | and the TACK's min_generation is greater than the key record's min_generation, 524 | then the key record's min_generation SHALL be set to the TACK's value. 525 | 526 | 527 |

528 |

529 | 530 | 531 | If there is a TACK and the TACK's "expiration" field specifies a time in the 532 | past, the client SHALL send the "certificate_expired" alert and close the 533 | connection. 534 | 535 | 536 | 537 | 538 |

539 | 540 |

541 | 542 | 543 | 544 | The TLS connection MAY be used to create, delete, and activate pins as 545 | described in this section. Note that this section is optional; a client MAY 546 | rely on an external source of pins, provided the external pins are produced by 547 | a client following the below algorithms. 548 | 549 | 550 | 551 | 552 | If there is a TACK and a relevant pin referencing the TACK key, and pin 553 | activation is enabled, the name record's "active period end" SHALL be set 554 | using the below formula (where "current" is the current time, and "initial" is 555 | the "initial timestamp" from the name record): 556 | 557 |

558 | active_period_end = current + MIN(30 days, current - initial) 559 | 560 | 561 | 562 | If there is a TACK and either no relevant pin or an inactive relevant pin that 563 | does not reference the TACK key, a new pin SHALL be created: 564 | 565 | 566 | If the TACK key is referenced by an existing 567 | key record, the key record is reused, otherwise a new key record is created 568 | with the TACK's key and min_generation. 569 | A new name record is created 570 | containing the relevant name, an "initial timestamp" equal to the current 571 | time, and an empty "active period end". 572 | 573 | If there is an existing relevant pin, the pin SHALL be deleted (see ). 575 | 576 | 577 | 578 | 579 | If there is no TACK and the relevant pin is inactive, the pin SHALL be 580 | deleted (see ). 581 | 582 | 583 | 584 | The following table summarizes this behavior based on whether the relevant pin 585 | is active and references the TACK key. The "(*)" means "if pin activation is 586 | enabled". 587 | 588 | 589 | 590 | Pin status 591 | Pin references TACK 592 | Result 593 | Active 594 | Yes 595 | Extend activation period (*) 596 | 597 | Active 598 | No (or no TACK) 599 | Rejected 600 | 601 | Inactive 602 | Yes 603 | Activate pin (*) 604 | 605 | Inactive 606 | No 607 | Replace with new inactive pin 608 | 609 | Inactive 610 | No TACK 611 | Delete pin 612 | 613 | No pin 614 | - 615 | Create new inactive pin 616 | 617 | No pin 618 | No TACK 619 | - 620 | 621 | 622 | 623 |

624 |

625 | 626 | 627 | All key records broken by break signatures SHALL be discarded, along with 628 | their associated name records. A key record is broken by a break signature if 629 | the break signature passes the following checks: 630 | 631 | 632 | 633 | "public_key" is referenced by the key record. 634 | 635 | "signature" is a correct ECDSA signature (else "decrypt_error"). 636 | 637 | 638 | 639 |

640 | 641 |

642 | 643 | 644 | 645 | A client might need to delete a pin from its store as a result of the 646 | algorithms in . A client MAY also delete pins from 647 | its store at any time, whether to save space, protect privacy, or for any 648 | other reason. To delete a pin, its name record SHALL be removed. If this 649 | leaves a key record with no associated name records, the key record MAY be 650 | removed as well. Pins MAY be deleted regardless of whether they are active or 651 | inactive, however for security concerns regarding pin deletion, see . 653 | 654 | 655 | 656 | 657 | 658 | 659 | Deleting pins unnecessarily will reduce the benefits of TACK, so SHOULD be 660 | avoided. Note that a pin SHOULD NOT be deleted simply because it has become 661 | inactive. Instead, such a pin SHOULD be retained, so that it can be 662 | re-activated in the future by the algorithms in . 663 | 664 | 665 |

666 |

667 |

668 |

669 |

670 | 671 | 672 | 673 | A TACK client MAY choose to perform some form of certificate verification in 674 | addition to TACK processing. When combining certificate verification and TACK 675 | processing, the TACK processing described in SHALL 676 | be followed, with the exception that TACK processing MAY be terminated early 677 | (or skipped) if some fatal certificate error is discovered. 678 | 679 | 680 | 681 | 682 | If TACK processing and certificate verification both complete without a fatal 683 | error, the client SHALL apply some policy to decide whether to accept the 684 | connection. The policy is up to the client. An example policy would be to 685 | accept the connection only if it passes certificate verification and is not 686 | rejected by a pin, or if the user elects to "connect anyway" despite 687 | certificate and/or pin failures. 688 | 689 | 690 | 691 |

692 | 693 |

694 | 695 | 696 | 697 | In addition to the hostname-based pinning described in , some applications may require "application-specific 699 | pins", where an application-layer name is pinned to a TACK key. For example, 700 | an SMTP MTA may wish to authenticate receiving MTAs by pinning email domains 701 | to the receiving MTAs' TACK keys. 702 | 703 | 704 | 705 | 706 | Application-specific pins may require redefinition of the name record's "name" 707 | field, the "relevant name" for the TLS connection, and the "pin activation" 708 | signal. With these items redefined, the client processing rules in may be reused. 710 | 711 | 712 | 713 | Note that a server using application-specific pins is still subject to 714 | hostname pins, and a client MAY apply either or both forms of pinning. 715 | 716 | 717 | The specification of application-specific pinning for particular applications 718 | is outside the scope of this document. 719 | 720 | 721 | 722 |

723 |

724 | 725 | 726 |

727 | 728 | 729 | A "TACK ID" MAY be used to represent a TACK public key to users in a form that 730 | is relatively easy to compare and transcribe. A TACK ID consists of the first 731 | 25 characters from the base32 encoding of SHA256(public_key), split into 5 732 | groups of 5 characters separated by periods. Base32 encoding is as specified 733 | in , except lowercase is used. 734 | 735 | 736 | 737 | Example TACK IDs: 738 | 739 | 740 | 741 | quxiz.kpldu.uuedc.j5znm.7mqst 742 | a334f.bt7ts.ljb3b.y24ij.6zhwm 743 | ebsx7.z22qt.okobu.ibhut.xzdny 744 | 745 | 746 | 747 |

748 | 749 |

750 |

751 | 752 | 753 | 754 | 755 | 756 | All servers that are pinned to a single TACK key are able to impersonate each 757 | other, since clients will perceive their TACKs as equivalent. Thus, TACK keys 758 | SHOULD NOT be reused with different hostnames unless these hostnames are 759 | closely related. Examples where it would be safe to reuse a TACK key are 760 | hostnames aliased to the same host, hosts sharing the same TLS key, or 761 | hostnames for a group of near-identical servers. 762 | 763 | 764 | 765 | 766 | 767 | A TLS server may be referenced by multiple hostnames. Clients may pin any of 768 | these hostnames. Server operators should be careful when using such DNS 769 | aliases that hostnames are not pinned inadvertently. 770 | 771 | 772 | 773 | 774 | 775 | To revoke older generations of TACKs, the server operator SHOULD first provide 776 | all servers with a new generation of TACKs, and only then provide servers with 777 | new TACKs containing the new min_generation. Otherwise, a client may receive a 778 | min_generation update from one server but then try to contact an 779 | older-generation server which has not yet been updated. 780 | 781 | 782 | 783 | It is convenient to set the TACK expiration equal to the end-entity 784 | certificate expiration, so that the TACK and certificate may both be replaced 785 | at the same time. Alternatively, short-lived TACKs may be used so that a 786 | compromised TLS private key has limited value to an attacker. 787 | 788 | 789 | 790 | A break signature only needs to be published for a time interval equal to the 791 | maximum active period of any affected pins. For example, if a TACK has been only 792 | been published on a website for 24 hours, to remove the TACK only requires 793 | publishing the break signature for 24 hours. 794 | 795 | 796 | 797 | 798 | Pin activation SHOULD only be enabled once all TLS servers sharing the same 799 | hostname have a TACK. Otherwise, a client may activate a pin by contacting one 800 | server, then contact a different server at the same hostname that does not yet 801 | have a TACK. 802 | 803 | The pin_activation field can be used to phase 804 | out TACKs for a hostname. If all servers at a hostname disable pin activation, 805 | all existing pins for the hostname will eventually become inactive, at which 806 | point the servers' TACKs can be removed. 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 |

815 |

816 | 817 | 818 | 819 | 820 | It is possible for a client to maintain a pin store based entirely on its own 821 | TLS connections. However, such a client runs the risk of creating incorrect 822 | pins, failing to keep its pins active, or failing to receive revocation 823 | information (min_generation updates and break signatures). Clients are advised 824 | to collaborate so that pin data can be aggregated and shared. This will 825 | require additional protocols outside the scope of this document. 826 | 827 | 828 | 829 | A client SHOULD take measures to prevent TACKs from being erroneously rejected 830 | due to an inaccurate client clock. Such methods MAY include using time 831 | synchronization protocols such as NTP , or accepting 832 | seemingly-expired TACKs if they expired less than T minutes ago, where T is a 833 | "tolerance bound" set to the client's maximum expected clock error. 834 | 835 | 836 | 837 | 838 | 839 |

840 |

841 | 842 |

843 |

844 | 845 | 846 | All servers pinned to the same TACK key can impersonate each other (see ). Think carefully about this risk if using the same TACK 848 | key for multiple hostnames. 849 | 850 | 851 | 852 | Make backup copies of the TACK private key and keep all copies in secure 853 | locations where they can't be compromised. 854 | 855 | 856 | 857 | 858 | A TACK private key MUST NOT be used to perform any non-TACK cryptographic 859 | operations. For example, using a TACK key for email encryption, code-signing, 860 | or any other purpose MUST NOT be done. 861 | 862 | 863 | 864 | HTTP cookies set by a pinned host can be stolen by a 865 | network attacker who can forge web and DNS responses so as to cause a client 866 | to send the cookies to a phony subdomain of the pinned host. To prevent this, 867 | TACK HTTPS Servers SHOULD set the "secure" attribute and omit the "domain" 868 | attribute on all security-sensitive cookies, such as session cookies. These 869 | settings tell the browser that the cookie should only be presented back to the 870 | originating host (not its subdomains), and should only be sent over HTTPS (not 871 | HTTP) . 872 | 873 | 874 |

875 | 876 |

877 | 878 | 879 | 880 | A TACK pin store may contain private details of the client's connection 881 | history. An attacker may be able to access this information by hacking or 882 | stealing the client. Some information about the client's connection history 883 | could also be gleaned by observing whether the client accepts or rejects 884 | connections to phony TLS servers without correct TACKs. To mitigate these 885 | risks, a TACK client SHOULD allow the user to edit or clear the pin store. 886 | 887 | 888 | 889 | 890 | 891 | Aside from rejecting TLS connections, clients SHOULD NOT take any actions 892 | which would reveal to a network observer the state of the client's pin store, 893 | as this would allow an attacker to know in advance whether a 894 | "man-in-the-middle" attack on a particular TLS connection will succeed or be 895 | detected. 896 | 897 | 898 | 899 | 900 | 901 | An attacker may attempt to flood a client with spurious TACKs for different 902 | hostnames, causing the client to delete old pins to make space for new ones. 903 | To defend against this, clients SHOULD NOT delete active pins to make space 904 | for new pins. Clients instead SHOULD delete inactive pins. If there are no 905 | inactive pins to delete, then the pin store is full and there is no space for 906 | new pins. To select an inactive pin for deletion, the client SHOULD delete the 907 | pin with the oldest "active_period_end". 908 | 909 | 910 |

911 | 912 |

913 | 914 | 915 | 916 | If the need arises for TACKs using different cryptographic algorithms (e.g., 917 | if SHA256 or ECDSA are shown to be weak), a "v2" version of TACKs could be 918 | defined, requiring assignment of a new TLS Extension number. TACKs as defined 919 | in this document would then be known as "v1" TACKs. 920 | 921 | 922 |

923 | 924 |

925 | 926 |

927 |

928 | 929 | 930 | IANA is requested to add an entry to the existing TLS ExtensionType registry, 931 | defined in , for tack(TBD) as defined in this document. 932 | 933 | 934 |

935 | 936 |

937 |

938 | 939 | 940 | Valuable feedback has been provided by Adam Langley, Chris Palmer, Nate 941 | Lawson, and Joseph Bonneau. 942 | 943 |

944 | 945 |