Let me describe what I want. There are just a very few institutions with which I want to communicate with fairly high confidentiality assurance. I would like to manually enter into my browser, their public key fingerprint bound to their domain name, perhaps with a wildcard notation for sub-names. This should affect the browser’s behavior as follows: For every access to that domain name, access via https and provide a conspicuous warning of any proffered public key whose fingerprint differs from what I provided.

This notion seems to capture the original simple notion of RSA public key. PKI does not. Self signed certificates are perfectly fine! Certificates signed by even a well known CA with a different fingerprint provoke the warning. With this browser facility I can talk to my bank securely whether or not they buy into HSTS. I have only a bootstrap problem of learning the fingerprint. In this plan my banking confidentiality no longer relies on the worst of the worlds CA’s.

Some might like to be able to specify the fingerprint of a CA’s public key and allow public keys in certs signed by that public key. This would save work and rely on the integrity of just one CA.

With the current Chrome Canary implementation of HSTS specs I often find a site with which I cannot connect because I have chosen not to trust the CA that they have chosen to sign their certs. If I were to mark that CA as trusted then my bank communication would be vulnerable to that unknown CA. Trust it? .... I have never heard of it! A current workaround is to use a different browser that does not do HSTS or does it differently. A different workaround is to use Firefox for non critical sites and tell Firefox to trust all CA's.
Here is Noisebridge The SHA fingerprint of their public key is:
75 49 84 7A 02 89 3A 26 13 BD 20 45 1A 99 4E 81 EF 9B DC 35
In base64 it is:

I enter the pair:
“noisebridge.com”, “sha1/dUmEegKJOiYTvSBFGplOge+b3DU=”
into the HSTS collection. To do this I enter “chrome://net-internals/#hsts” into Chrome’s address bar and hit return.

Using Safari I mark Noisebridge’s certificate as trusted in the Mac’s shared data base of trusted certs. Access behavior is unchanged. I delete the pair in Chrome and enter it again but with a one bit error in the fingerprint. Chrome lets me in with no warning. Had I done this with my bank instead of Noisebridge and a MITM in cahoots with a corrupted CA has presented a signed but different certificate with a different public key, I must assume that I would have been compromised!

Chrome (canary) 39.0.2141.0 and 39.0.2161.3 both fail this way.

My current workaround is to learn the 6 clicks to display the bank’s public key fingerprint just before entering my password. I recognize some of the bits therein. Here are the clicks for Chrome:

  1. lock icon at left end of address bar
  2. “connection” tab in new window. (Sometimes unnecessary but doesn’t hurt)
  3. “certification information” ‘link’
  4. You might here want to select a different level in the certificate chain which is shown.
  5. Click arrow to left of “details”
  6. Scroll down to bottom and see “Fingerprints”

Here is an older less complete analysis.
Munging Canary Cookies on the Mac
A fairly general solution