{ "info": { "author": "Trevor Perrin,Moxie Marlinspike", "author_email": "UNKNOWN", "bugtrack_url": null, "classifiers": [], "description": "Tackpy version 0.9.9 Sep 25 2012\n============================================================================\n\nLicenses/Acknowledgements\n==========================\nTackpy is written by Trevor Perrin and Moxie Marlinspike. It includes crypto\ncode from Peter Pearson (ECDSA) and Bram Cohen (AES).\n\nAll code in tackpy has been dedicated to the public domain by its authors. See\nthe LICENSE file for details.\n\n\nInstallation\n=============\nTackpy requires Python 2.6 or greater, or Python 3.\n\nRun \"make install\" or \"python setup.py install\". This installs:\n - The \"tack\" library for use by other Python programs (such as TLS Lite).\n - The \"tack\" command-line tool.\n\nTo use the command-line tool without installation run \"./tack.py\".\n\nOpenSSL\n--------\nTackpy tries to use OpenSSL for AES and ECDSA operations. If OpenSSL cannot be\nloaded, Tackpy will fall back to using slower python crypto code. \n\nTo use OpenSSL on Windows you need \"libeay32.dll\" on your path. On Red Hat\nsystems you need to provide your own libcrypto as the system default does not\ninclude elliptic curve support.\n\n\nQuick start with command-line tool\n=================================== \nYou will need to create one or more TACK keys to \"pin\" your hostnames to. You\nshould use a different key for each hostname, unless those hostnames are\nclosely related (such as aliases for the same host, or hosts sharing a TLS\nprivate key). Once you decide how many TACK keys you need, and the assignment\nof hostnames to keys, do the following:\n\nCreate a TACK key:\n 1) Run \"tack genkey > KEY.pem\" (replace \"KEY\" with a specific name)\n 2) Back up the key file where it won't be lost or stolen.\n\nIf a hostname is using TACK, each server at that hostname must have a tack\nthat signs the public key in the server's certificate. To create and deploy\nthese tacks, do the following:\n\nCreate a tack for a certificate's public key:\n 1) Run \"tack sign -k KEY.pem -c CERT > TACK.pem\".\n\nDeploy tacks to a hostname \n 1) Deploy tacks to each server at the hostname.\n - Apache: Set \"SSLTACKTackFile\" to a tack file.\n 2) Set the activation flag on each server.\n - Apache: Set \"SSLTACKActivationFlags 1\".\n 3) Test the site (if there are problems, see \"Pin deactivation\").\n 4) Whenever you change a server's certificate, you must replace its tack.\n\n\nPin deactivation\n=================\nIf you wish to stop using TACK for a hostname, simply disable the activation\nflag at all servers for that hostname (Apache: \"SSLTACKActivationFlags 0\").\nThen wait for all existing client pins to become inactive.\n\nThe waiting period required is equal to the length of time that the activation\nflag has been enabled for any servers at the hostname, or a maximum of 30\ndays. Once the waiting period is elapsed, all tacks for the hostname can be\nsafely removed.\n\n(For example: If you start using a tack for \"example.com\", then decide to\ndisable the activation flag after one day, you can remove the tack at the end\nof the second day.)\n\n\nAdvanced uses\n==============\n\nRevoking older generations of a tack \n-------------------------------------\nIf a server's TLS key (not its TACK key) has been compromised and you are\nswitching to a new TLS key, you may revoke the tack for the old key by \"-m\n\" in the \"sign\" command. is a number from\n0-255 that is larger than the generation of the tack you wish to revoke.\n\nClients who encounter the new tack will reject older generation tacks from\nthen on. Prior to publishing a new you should replace all\nyour tacks with this generation number (or higher) by signing with \"-g\n\".\n\nFor example: By default tacks have generation=0, so the first time you use\nthis capability you will want to set \"-m1\" after pushing out a new set of\ntacks signed with \"-g1\". If you use it a second time, you will set \"-m2\", and\nso on.\n\nSecurity Consideration: This only provides protection if clients receive the\nnew min_generation. For a more robust defense against TLS key compromise,\nconsider using short-lived tacks.\n\nShort-lived tacks\n------------------\nEvery tack contains a signature covering a TLS public key. The TLS key is\ncontained in a certificate. By default the tack is set to expire at the same\ntime as the certificate, and must be replaced by an updated tack at that\npoint.\n\nIf you shorten the tack's expiration time, then a compromised TLS key will\nbecome unusable to an attacker once the tack expires. For example, every day\nat midnight you could deploy a new tack that expires within 48 hours.\n\nA good way to handle short-lived tacks is to generate a batch of them and\nstore the tacks on a secure system that distributes them to servers. This way,\nyou do not have to use your TACK key to sign new tacks frequently.\n\nYou can generate a batch of tacks with the \"-n NUM@INTERVAL\" argument to\n\"sign\", specifying the number of tacks and the interval between their\nexpiration times. The \"-o\" argument is taken as a filename prefix, and the\n\"-e\" time is used as the first expiration time. Example:\n\ntack sign -k KEY.pem -c CERT -n 365@1d -e 2013-01-02Z -o T1\n\nproduces 365 tacks, one expiring at midnight (UTC) each day of 2013:\n T1_0000.pem\n T1_0001.pem\n T1_0002.pem\n ...\n T1_0364.pem\n\nTACK Key rollover\n------------------\nYou may \"rollover\" a hostname from one TACK key to another without an\ninterruption in security by publishing two tacks simultaneously. This allows\nclients to form pins based on the second tack prior to the first tack being\nremoved.\n\nTo perform a rollover, simply append the new tack to the SSLTACKTackFile, and\nset the SSLTACKActivationFlags to 3 (1 activates the first tack, 2 activates\nthe second tack, and 3 activates both). Allow at least 30 days, then\ndeactivate the first tack by setting SSLTACKActivationFlags to 2. Allow at\nleast another 30 days, then delete the first tack and set\nSSLTACKActivationFlags to 1. The rollover is now complete.\n", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://tack.io", "keywords": null, "license": "public domain", "maintainer": null, "maintainer_email": null, "name": "tackpy", "package_url": "https://pypi.org/project/tackpy/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/tackpy/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://tack.io" }, "release_url": "https://pypi.org/project/tackpy/0.9.9/", "requires_dist": null, "requires_python": null, "summary": "Tackpy implements TACK in python", "version": "0.9.9" }, "last_serial": 800333, "releases": { "0.9.7": [ { "comment_text": "", "digests": { "md5": "68abf05bf2229b2f2b078855e721ba76", "sha256": "9bb9c9389e22c650a299f7db70179cdd27ec5c02f7ce736e31c8c99eeb3a2034" }, "downloads": -1, "filename": "tackpy-0.9.7.tar.gz", "has_sig": false, "md5_digest": "68abf05bf2229b2f2b078855e721ba76", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 38796, "upload_time": "2012-05-22T22:56:40", "url": "https://files.pythonhosted.org/packages/b5/8e/fa09a999fa1594a8466a753bad9097f0b46a1758027a72961401756bce3c/tackpy-0.9.7.tar.gz" } ], "0.9.8": [], "0.9.9": [ { "comment_text": "", "digests": { "md5": "10f4f59e78f909704a53abf3e827f00b", "sha256": "d4e3f5d84c9ba1ad181effb4703a13f0435c49cc27a693934cd4883e3b5c8d62" }, "downloads": -1, "filename": "tackpy-0.9.9.tar.gz", "has_sig": false, "md5_digest": "10f4f59e78f909704a53abf3e827f00b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 38161, "upload_time": "2012-09-25T17:26:22", "url": "https://files.pythonhosted.org/packages/7d/12/25578922eebeedfb694731da2ab57719c30c936862e740047770684b1f49/tackpy-0.9.9.tar.gz" } ], "0.9.9a": [ { "comment_text": "", "digests": { "md5": "b00321834abd5cb8c8cd5e547309ba3f", "sha256": "041c4d1e4b20bf35ccd472761779506eff2a5bebb126526337cd7d21b894beed" }, "downloads": -1, "filename": "tackpy-0.9.9a.tar.gz", "has_sig": false, "md5_digest": "b00321834abd5cb8c8cd5e547309ba3f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 38160, "upload_time": "2012-09-27T20:44:43", "url": "https://files.pythonhosted.org/packages/c4/ef/3e74f4ec64e42a30ef1e58cd6896ce7f5c48933821635ec253e33bb1819c/tackpy-0.9.9a.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "10f4f59e78f909704a53abf3e827f00b", "sha256": "d4e3f5d84c9ba1ad181effb4703a13f0435c49cc27a693934cd4883e3b5c8d62" }, "downloads": -1, "filename": "tackpy-0.9.9.tar.gz", "has_sig": false, "md5_digest": "10f4f59e78f909704a53abf3e827f00b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 38161, "upload_time": "2012-09-25T17:26:22", "url": "https://files.pythonhosted.org/packages/7d/12/25578922eebeedfb694731da2ab57719c30c936862e740047770684b1f49/tackpy-0.9.9.tar.gz" } ] }