Let <rule> elements specify an altenative hostname that should be accepted in a cert
For instance, you might want to accept an akamai cert for some given domain that is known to be served by akamai.
This might require an API that doesn't exist yet or it might be possible via the browser's whitelisting mechanism in combination with nsIBadCertListener2 or something equivalent