I have written about hpkp (my blog) before but find it lacking in useable documentation, quite how you specify a backup cert in say apache i leave as a question to guru’s, buying a cert to not use it seems strange, and how that would affect caa records if say from another supplier is a mystery it seems i will not bother to figure out for it is bollocks to common sense. Could one be deemed a fake cert issue that gets the ca removed from say firefox is a problem i foresee if hpkp takes off.
I suppose it could be done but then if the hostname does not match your still going to get grief from firefox about host mismatch problems, forget self signing ssl. Add the cost of ev certs in too, or the problem a cert with multiple addresses then you still have no backup hpkp.
I think hpkp is a retarded mans dnssec (which the zoo has) but hpkp still has a cost with the backup certificate which i guess makes the ssl mafia happy financially and who cares if it gets used or not. they do not.
As i am no hpkp guru, or feel the need to become one and ask the question why is it only for webservers say but not email too,other ports can be utilised too but you get my gripe.
So i have commented it out of the apache config for if i cannot figure it out then i doubt many others can use it either.
Anyhow not my problem.