Comment by LeoPanthera

> How would you do certificate pinning if you don't control the clients?

Well you cannot. If you were paranoid, you would perhaps supply a hash through some out-of-band mechanism, which would require manually updating for each new cert.

Obviously most people wouldn't ever want to do that.