Apologies for the absence, we’ve had a busy week.
This is interesting! But I don’t think I agree. There are extensions like CertPatrol that allow people to be notified when certs change for sites they visit, but these alerts are generally not actionable even in today’s Internet. There’s no way as an end user to tell whether an unrecognized certificate is legitimate or not.
Fortunately, Certificate Transparency offers a way to formalize that “watching” process and make it public and actionable. Site operators, the only people who are really empowered to judge whether a given certificate is legitimate, can subscribe to monitors and be alerted when new certificates appear. End-users can (eventually) be alerted if they are presented with a certificate that hasn’t been publicly disclosed.
That leaves HPKP pinning. I assume you are talking about pinning to leaf certs rather than intermediates, because that is the only kind of pinning that is materially affected by 90-day lifetimes. It’s still quite possible to pin leaf certs with 90-day lifetimes. You have to either pre-allocate your next N keys and include them in your pinning header, or as you say, reuse the same key across multiple issuances. I’m not sure that encouraging long-lived keys is likely to increase people’s successful deployment of HPKP pinning.
It’s number two on our list of key principles, second only to “free.”