a small human has been consuming all my blogging time lately, but I decided to get back into the game with a post full of terrible ideas for how to abuse Certificate Transparency to re-create public key pinning:
Conversation
Replying to
TLSA records work well and are easy to use. TTL can be set very low to minimize disruption from screwing up.
There's no reason Chrome can't enforce TLSA records when using DoH where DNSSEC isn't disrupted by broken networks.
Sites choose pinning leafs, intermediates, roots.