[kuschku]

You only care about pinning when you fear that a third actor somewhere between your server and the end client might MitM the connection with a valid certificate.

If a third party controls your keys, certificate pinning is useless to prevent against attacks from that third party or governmental agencies.

[pfg]

Most HPKP deployments pin to root or intermediate certificates of CAs (usually 2 separate CA entities, in case something happens to the primary CA) - meaning in a typical scenario, the attack surface is approximately the same.

Not sure if this approach is common in native applications that pin to keys as well.

[detaro]

Obviously. That doesn't mean pinning is impossible or useless against other threats though, so I don't think the argument makes sense in that general way. I bet there are tons of apps running/with backends running on AWS that should have certificate pinning.