http PKP has been deprecated and removed from many browsers already. We should stop sending that header. I propose a 2 stage process: 1) get clients that visit us regularly to drop their cached pin 2) after all pins would also have expired, stop sending the header entirely. for 1, something like this ``` --- a/modules/apache2/templates/ssl-key-pins.erb +++ b/modules/apache2/templates/ssl-key-pins.erb @@ -24,7 +24,9 @@ if pin_info.size >= 2 then pin_info = pin_info.map{ |x| x.gsub('"', '\"') } # 60 days - pin_info << "max-age=5184000" + #pin_info << "max-age=5184000" + # 0 days, set 2020-03-11, so we can get rid of the header around 2020-05-11. + pin_info << "max-age=0" pin_str = pin_info.join("; ") res << " Header always set Public-Key-Pins \"#{pin_str}\"" else ``` also cf https://tools.ietf.org/html/rfc7469#section-2.3.1 1. [x] get clients that visit us regularly to drop their cached pin (done on 2020-03-11) 2. [x] after all pins would also have expired, stop sending the header entirely (done on 2020-10-14) 4. [x] update the `tls` documentation page in the wiki to remove mention of HPKP 5. [x] cleanup backup keys passphrase from password manager (although still present in git history) 3. [x] if all goes well, remove the dead code from `letsencryt-domains.git` (pending: in my worktree on my workstation, waiting for puppet to run everywhere) 4. [x] remove all pins from the `tor-backup-keys.git` repository 5. [x] archive or destroy the repository