[hyperfekt]

Am I mistaken to think that the HKPKP attacks could be mitigated to a certain degree by implementing delayed pinning - meaning a pin must be announced for a certain amount of time before it goes into effect, allowing the owner to notice and counteract a malicious pinning.

[ivanr]

Yes, you're right. IIRC, that approach was considered and rejected in the design phase. Some other pinning proposals (e.g. http://tack.io) rely on delayed activation to reduce the damage potential.

[georgyo]

HKPKP is a header in http request, there is no where to announce it early.

[icebraining]

The idea is that browsers would see that header, but only enforce the pin if the header was kept for a certain period.