remove HPKP instructions completely (#33592)

fd41a297 · anarcat · 00350b87 · fd41a297
Verified Commit fd41a297 authored 4 years ago by anarcat
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -81,60 +81,6 @@ Then remove the file.

 # How-to

-## Enabling HPKP
-
-Note: HPKP is generally considered DEPRECATED. It has been [disabled
-in Google Chrome in 2017][] and should generally not be used
-anymore. There are [plans to remove it completely][] in our
-infrastructure.
-
-[plans to remove it completely]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/33592
-[disabled in Google Chrome in 2017]: https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/
-
-This section should generally be skipped unless you *really* need key
-pinning for some obscure reason.
-
- 1. To generate backup [HPKP][] keys, use the script provided in the
-    `domains.git` repository:
-
-        ./bin/manage-backup-keys create
-
-    See `tor-passwords/000-backup-keys` for the passphrase when prompted.
-
-    The private key is a backup RSA certificate that can be used to
-    rotate HTTPS certificates in case of a compromise, while
-    respecting the pins sent as `Public-Key-Pins` headers.
-
- 2. Push the new key to the backup-keys repo:
-
-        cd backup-keys
-        git status
-        git add $yourfiles
-        git commit
-        git push
-        cd ..
-
-[HPKP]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
-
-## Disabling HPKP
-
-Note: HPKP is generally considered DEPRECATED. It has been [disabled
-in Google Chrome in 2017][] and should generally not be used
-anymore. There are [plans to remove it completely][] in our
-infrastructure.
-
-To disable key pinning ([HPKP][]) on a given domain, just remove the
-backup key from the repository:
-
-    cd backup-keys
-	git rm example.torproject.org*
-	git commit
-	git push
-
-Then run Puppet on all affected hosts, for example the static mirrors:
-
-    cumin 'C:roles::static_mirror_web' 'puppet agent -t'
-
 ## Pager playbook

 * if you get email from Digicert, ask the Tor Browser team, they use
@@ -268,7 +214,7 @@ server (currently `cupani`):
    `bin/deploy` file which installs the certificates files in
    `var/result`. 

- 7. It also generates a Public Key Pin (PKP) hash with the
+ 7. CODE REMOVED: It also generates a Public Key Pin (PKP) hash with the
    `bin/get-pin` command and appends Diffie-Hellman paramets
    (`dh-$size.pem`) to the certificate chain.

@@ -357,3 +303,14 @@ also leverage the ACME protocol designed by letsencrypt to run our own
 CA instead of just OpenSSL, although that might be overkill. In
 general it might be preferable to reuse an existing solution than
 maintain our own software in Make.
+
+### HPKP
+
+HPKP used to be used at Tor, but we expired it in March 2020 and
+completely stopped sending headers in October 2020. It is generally
+considered Deprecated, it has been [disabled in Google Chrome in
+2017][] and should generally not be used anymore. See [issue 33592][]
+for details, and the history of this page for previous instructions.
+
+[issue 33592]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/33592
+[disabled in Google Chrome in 2017]: https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/