The public key pinning is a pain in the ... for the website owners - it is very hard to implement because it needs a very precise timing for the replacement of the pinned public key when you need to renew the certificate.
But...
The DA Lets Encrypt certificates are automatically renewed by DA. So, theoretically, we have a very good base for automating the pinning - DA knows when exactly it will try to renew the certificate!
Therefore should be possible for DA to dynamically send the HPKP header to the visitors of a particular website in a way that the max-age period will be exactly calculated to match the time of the renewal of the certificate.
Then if, for some reason, the renewal of the cert fails, DA can stop sending HPKP headers in order to prevent blocking of the website.
Now the big remaining question is about the backup key pins... I read somewhere that without a backup, the pins won't work. Can we request two free Lets Encrypt certificates and keep one of them as a backup pin?
But...
The DA Lets Encrypt certificates are automatically renewed by DA. So, theoretically, we have a very good base for automating the pinning - DA knows when exactly it will try to renew the certificate!
Therefore should be possible for DA to dynamically send the HPKP header to the visitors of a particular website in a way that the max-age period will be exactly calculated to match the time of the renewal of the certificate.
Then if, for some reason, the renewal of the cert fails, DA can stop sending HPKP headers in order to prevent blocking of the website.
Now the big remaining question is about the backup key pins... I read somewhere that without a backup, the pins won't work. Can we request two free Lets Encrypt certificates and keep one of them as a backup pin?
Last edited: