I’m playing around with HPKP.
For a test, I pinned both LE CAs and my server key. However, upon changing my server key so that it falls outside the set of pinned keys, Firefox still doesn’t complain. This is backed by the spec which only mentions that the set of pinned keys and keys in the chain must intersect, but doesn’t require the intersection to be permanent.
This raises a question for me about pinning both the CA and the server key, which I see very often but seems completely pointless to me.
If I pin the CA, then anyone who can present a valid cert from that CA passes the HPKP check, regardless of my pinned server key. So if you pin the CA, you shouldn’t pin the sever key, and subsequently, if you pin the server key, it should be the only key in the chain that is pinned (set aside backup keys).
Is that correct so far?