From 8dce0691bb286521f32da04a08bdbbbbb4fd17d8 Mon Sep 17 00:00:00 2001
From: moparisthebest <admin@moparisthebest.com>
Date: Sat, 16 Dec 2023 11:36:36 -0500
Subject: [PATCH] host-meta-2: Add procedure for updating
 public-key-pins-sha-256

---
 inbox/host-meta-2.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inbox/host-meta-2.xml b/inbox/host-meta-2.xml
index ae98019d..5aa016bf 100644
--- a/inbox/host-meta-2.xml
+++ b/inbox/host-meta-2.xml
@@ -181,6 +181,7 @@
   <section2 topic='For Server Administrators' anchor='impl-admins'>
     <p>For the forseeable future you will need to maintain legacy SRV records in addition to this file, and you should provide DANE TLSA records too if possible.</p>
     <p>To make your server as accessible to other clients/servers no matter how bad the network they are on, it is advised to use port 443 when possible, as it looks the most like HTTPS.</p>
+    <p>Extra care must be taken in updating "public-key-pins-sha-256" similar to that which is required of HPKP and DANE, summarized here, you MUST add the new key, wait until at least 2 TTL periods have passed, and only then remove the old key.</p>
     <p>To make connection discovery work in web clients (including those hosted on a different domain) the host service SHOULD set appropriate <link url="https://www.w3.org/TR/cors/">CORS</link> headers for Web Host Metadata files. The exact headers and values are out of scope of this document but may include: <em>Access-Control-Allow-Origin</em>, <em>Access-Control-Allow-Methods</em> and <em>Access-Control-Allow-Headers</em>.</p>
     <p>Due care has to be exercised in limiting the scope of <em>Access-Control-Allow-Origin</em> response header to Web Host Metadata files only.</p>
     <code caption="Example header allowing all sites to read host metadata"><![CDATA[