Deploy HPKP

We already have HSTS on our website, but HPKP seems to be the next generation public-key authentication for websites and we have been recommended to deploy it.

https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

This would serve as a mitigation technique against MitM on our website (HPKP is at least TOFU, until we get in the preload list see #9027 (closed)).

dkg recommends making two backup end-entity keys on an offline machine, and pinning to your active key + these two others.

Related issues

Related to #9027 (closed)
Related to #16675

Original created by @sajolida on 9026 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information