GitLab

http PKP has been deprecated and removed from many browsers already.

We should stop sending that header.

I propose a 2 stage process:

1. get clients that visit us regularly to drop their cached pin
2. after all pins would also have expired, stop sending the header entirely.

for 1, something like this

--- a/modules/apache2/templates/ssl-key-pins.erb
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -24,7 +24,9 @@
     if pin_info.size >= 2 then
       pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
       # 60 days
-      pin_info << "max-age=5184000"
+      #pin_info << "max-age=5184000"
+      # 0 days, set 2020-03-11, so we can get rid of the header around 2020-05-11.
+      pin_info << "max-age=0"
       pin_str = pin_info.join("; ")
       res << "  Header always set Public-Key-Pins \"#{pin_str}\""
     else

also cf https://tools.ietf.org/html/rfc7469#section-2.3.1

1. get clients that visit us regularly to drop their cached pin (done on 2020-03-11)
2. after all pins would also have expired, stop sending the header entirely (done on 2020-10-14)
3. update the tls documentation page in the wiki to remove mention of HPKP
4. cleanup backup keys passphrase from password manager (although still present in git history)
5. if all goes well, remove the dead code from letsencryt-domains.git (pending: in my worktree on my workstation, waiting for puppet to run everywhere)
6. remove all pins from the tor-backup-keys.git repository
7. archive or destroy the repository