But hpkp (my blog) still baffles me. hpkp is a waste of time although i have ‘valid’ hpkp i still have no hpkp backup key and the report uri thing also remains a mystery to me – is it a form in html,a cgi script or something else.
Specifically problems seem to exist with primary and backup keys (if you hairy eyeball to documentation) appears to be done with pin-sha256=\”base64+primary==\”; and +backup but i can’t verify that although it could be rfc right.
report uri is also a mystery to most just do the hashes so i guess they also gave up on it however it is supposed to work – i rekon a cgi like form is used
The higher mysteries of hpkp will remain here in the zoo