[nemothekid]

You would probably need some sort of "authority" to redistribute the hashes.

[jsiepkes]

The was / is a DNS standard for that: DANE. Sadly DANE was never really adopted. Chrome had support for it but it was removed eventually.

[lasdfas]

One of the main reasons for the library is no need for cert authority. Why not just create a regular cert Authority certificate and put the trusted authority cert on the clients. That makes it so you almost never have to change the clients certs. Also, it's supported by standard TLS libraries and clients.

[jD91mZM2]

True, didn't think of that. The server would still have to generate it using a command though... I like having things automated.