Good news is that for everything other than the connection to DNSChain, sysadmins no longer need to worry about setting expiration dates for their SSL/TLS certs (they just update the cert, and then the fingerprint in the blockchain).
However, the connection to DNSChain itself should have its cert (and therefore its fingerprint) updated periodically.
For end-users, it would be prohibitively annoying to have to manually re-enter (or re-verify) an updated fingerprint.
Therefore DNSChain should be able to tell clients over the old cert connection: "Hey, I've got a new fingerprint, use this from now on."
How exactly this should be done is TBD.
---
Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/8695997-have-a-mechanism-for-clients-to-automatically-accept-new-fingerprints?utm_campaign=plugin&utm_content=tracker%2F528702&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F528702&utm_medium=issues&utm_source=github).
Good news is that for everything other than the connection to DNSChain, sysadmins no longer need to worry about setting expiration dates for their SSL/TLS certs (they just update the cert, and then the fingerprint in the blockchain).
However, the connection to DNSChain itself should have its cert (and therefore its fingerprint) updated periodically.
For end-users, it would be prohibitively annoying to have to manually re-enter (or re-verify) an updated fingerprint.
Therefore DNSChain should be able to tell clients over the old cert connection: "Hey, I've got a new fingerprint, use this from now on."
How exactly this should be done is TBD.