I'm all in favour of CSP and HPKP, but the community forum not really related to the security of the CA server, ACME or certificate issuance in general.
HPKP can be quite tricky to get right, especially with certificates with short lifetimes. It's quite easy to actually brick your domain if you mess up in some way, and the client should probably be quite conservative and, if ever implemented, hide this option behind a lot of warnings.
There's another interesting thread on this topic:
HSTS, fine. CSP, also fine but please no HPKP, with that more stuff can fail than will go right.
but first I would work on the mixed content. thatâs also not really good for the official means of support.
[quote=âMy1, post:22, topic:12325, full:trueâ]please no HPKP, with that more stuff can fail than will go right.[/quote]HPKP isnât that hard to implement: https://scotthelme.co.uk/hpkp-http-public-key-pinning/
What could go wrong?
HPKP isnt hard to implement but there can go a LOT of stuff wrong. e.g. you lose your Pinned keys and now suddenly no one will accept your new certs until that lifetime is over.
DANE is a bit better here because you have have to let your registrar change your DS records to a new key and finish it.
Also HPKP is a part of HSTS meaning it will enforce a trusted cert, meaning if you cannot get a cert from a CA (e.g. because sudden blacklist changes) even your keys wont help you
[quote=âMy1, post:24, topic:12325, full:trueâ]HPKP isnt hard to implement but there can go a LOT of stuff wrong. e.g. you lose your Pinned keys and now suddenly no one will accept your new certs until that lifetime is over.[/quote]Thatâs why youâre supposed to pin at least one backup key, too; so, at the bare minimum, you should be pinning at least two.
thatâs why I said keys and not key. If you are not careful you could lose your backup key as well. it might just be that the drive of the PC with the backup key ccrashes.
and no Backup keys dont belong in the cloud.