Hi Moxie,
What do you think of the certificate transparency project they mentioned? It is quite a bit different than pinning and doesn't have any of the scalability issues.
If you haven't heard about it, it basically requires that a certificate be observed in a central database for the browser to accept it. The server provides a proof (signature) of it being in the database when it passes the cert to the client so no extra connections are required.
This makes it immediately known when another cert is issued for a site.
The efficacy of CT will largely hinge on whether Google can get CAs to participate. Even if they can, it'll be a long road (it already has been), and TACK is immediately deployable in the short term.
Is it necessary to get every cert? Getting the CAs to participate would be the best way, but it seems there are workarounds that will result in a large number of certs to be listed, though not all of them:
"Google is currently operating a Certificate Transparency log, and we are filling the log with certificates that we retrieve while crawling the web. We are also actively working on monitoring and auditing software."
If you haven't heard about it, it basically requires that a certificate be observed in a central database for the browser to accept it. The server provides a proof (signature) of it being in the database when it passes the cert to the client so no extra connections are required.
This makes it immediately known when another cert is issued for a site.