I think something more like ssh which exchanges certificates on first connection would be better, maybe with expiry, pinning, and sending new certs before an old one expires. On top of that some way of sending certificates, maybe offline, for really critical things like banking.
