drop http public key pinning (HPKP)
http PKP has been deprecated and removed from many browsers already.
We should stop sending that header.
I propose a 2 stage process:
- get clients that visit us regularly to drop their cached pin
- after all pins would also have expired, stop sending the header entirely.
for 1, something like this
--- a/modules/apache2/templates/ssl-key-pins.erb
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -24,7 +24,9 @@
if pin_info.size >= 2 then
pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
# 60 days
- pin_info << "max-age=5184000"
+ #pin_info << "max-age=5184000"
+ # 0 days, set 2020-03-11, so we can get rid of the header around 2020-05-11.
+ pin_info << "max-age=0"
pin_str = pin_info.join("; ")
res << " Header always set Public-Key-Pins \"#{pin_str}\""
else
also cf https://tools.ietf.org/html/rfc7469#section-2.3.1
-
get clients that visit us regularly to drop their cached pin (done on 2020-03-11) -
after all pins would also have expired, stop sending the header entirely (done on 2020-10-14) -
update the tls
documentation page in the wiki to remove mention of HPKP -
cleanup backup keys passphrase from password manager (although still present in git history) -
if all goes well, remove the dead code from letsencryt-domains.git
(pending: in my worktree on my workstation, waiting for puppet to run everywhere) -
remove all pins from the tor-backup-keys.git
repository -
archive or destroy the repository
Edited by anarcat