I’d like to call upon Let’s Encrypt to publish the necessary values for their users to pin against their intermediate and root keys with a minimum time commitment for each.
Pinning against an intermediate and/or root key is much safer if done with assistance from the CA itself. Let’s Encrypt will have full visibility of all possible trust paths and advanced knowledge of events such as a change in the intermediate certificate (excluding a compromise scenario).
What I’d suggest is the pin value and a recommended max-age value for all intermediates and roots.
Let’s Encrypt Authority X3
DST Root CA X3
This will allow sites to benefit from the protection of HPKP with less risk and also reduce the administrative overhead of pinning their own keys exclusively whilst still affording a large level of protection. As a backup a site owner can pin their own backup key and/or the keys of another CA.
Thoughts and comments welcome!