I see that point. But you can do the same with DoT? Instead of public key, you just pin the cert and bypass CA in that way. And you get the perfect forward secrecy and other benefits of TLS. But this might require the regular update of certs, and does not solve your maintenance problem.