From 9361492840107b13a670e5b8fc7d6e51a00ee2a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 15 Apr 2020 11:01:31 -0400
Subject: [PATCH] rip HPKP out of the main LE procedure

HPKP has been removed from Chromium in 2017:

https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/
---
 tsa/howto/tls.mdwn | 56 +++++++++++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 25 deletions(-)

diff --git a/tsa/howto/tls.mdwn b/tsa/howto/tls.mdwn
index 8b50caa3..36dd7fb5 100644
--- a/tsa/howto/tls.mdwn
+++ b/tsa/howto/tls.mdwn
@@ -21,31 +21,7 @@ manage the related [X.509](https://en.wikipedia.org/wiki/X.509) certificates tha
     
         $EDITOR domains
 
- 3. Generate backup [HPKP][] keys for Public key pinning:
-
-    HPKP is generally considered DEPRECATED so this section should
-    generally be skipped.
-
-        ./bin/manage-backup-keys create
-
-    See `tor-passwords/000-backup-keys` for the passphrase when prompted.
-
-    The private key is a backup RSA certificate that can be used to rotate
-    HTTPS certificates in case of a compromise, while respecting the pins
-    sent as `Public-Key-Pins` headers.
-
- 4. Push the new key to the backup-keys repo:
-
-        cd backup-keys
-        git status
-        git add $yourfiles
-        git commit
-        git push
-        cd ..
-
-[HPKP]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
-
- 5. Push the updated domain list to the letsencrypt-domains repo
+ 3. Push the updated domain list to the letsencrypt-domains repo
 
         git diff domains
         git add domains
@@ -102,6 +78,36 @@ Then remove the file.
 
 # How-to
 
+## Enabling HPKP
+
+HPKP is generally considered DEPRECATED. It has been [disabled in
+Google Chrome in 2017](https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/) and should generally not be used anymore.
+
+This section should generally be skipped unless you *really* need key
+pinning for some obscure reason.
+
+ 1. To generate backup [HPKP][] keys, use the script provided in the
+    `domains.git` repository:
+
+        ./bin/manage-backup-keys create
+
+    See `tor-passwords/000-backup-keys` for the passphrase when prompted.
+
+    The private key is a backup RSA certificate that can be used to
+    rotate HTTPS certificates in case of a compromise, while
+    respecting the pins sent as `Public-Key-Pins` headers.
+
+ 2. Push the new key to the backup-keys repo:
+
+        cd backup-keys
+        git status
+        git add $yourfiles
+        git commit
+        git push
+        cd ..
+
+[HPKP]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
+
 ## Disabling HPKP
 
 To disable key pinning ([HPKP][]) on a given domain, just remove the
-- 
GitLab