2 isn't quite the same as my idea, it uses a list of fingerprints for valid certs instead of a CA itself, but it is roughly equivalent.