Support more fine-grained pinning
Currently, pinning a cert is an all-or-none proposition in that once pinned the cert is there forever, regardless of why it was pinned (bad CA, expired, too weak, etc). It would be good to be able to specify the reasons why a cert failed validation as part of the pinning process, so if it later starts failing validation for a different reason, that could flagged in an application's UI.
The specific use case I have in mind is self signed (or otherwise untrusted) certs with an expiry date - you would want to store an exception for the CA, but not for the date if still current.