Send the Public Key Pinning (HPKP) header for Wikimedia domains. (Firefox and Chrome support this now.) I suppose we would want to pin the CAs we use instead of the leaf keys. Not include subdomains at first. Implementing a URI to report failures to would be nice. Start with a domain that is not widely used.
The important question that needs to be answered first: are we able to know which CAs we will be using in the next 6 month (in advance)? (Or if we pin our leaf keys can we manage to create private keys 6 month in advance?)