A proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.
Designed to be easy to incorporate into existing TLS servers and clients, with keys that are simple to manage.
We've submitted an Internet Draft to the IETF with TACK's technical details.
We've written some reference TACK implementations for OpenSSL, Apache, and tlslite, as well as the command-line tools necessary to generate and manage TACK keys.
We have a test server running Apache that supports TACK, which you can visit with your browser.