Actually, you're right, my fix is wrong!
However, it's not exactly what you said. The server that issues certificates actually has nothing to do with the server that verifies these certificates.
So while an admin who installs your plugin can choose to switch to a different verification server, they cannot choose to use a different certificate issuer.
The certificate issuer is determined by the email address that the end user uses to log in. Currently, almost all of the emails are using what we call the "fallback identity provider" (login.persona.org) to get a certificate. However, if an email is from a domain which runs a primary identity provider, then the issuer will be that domain.
You can try it out yourself:
1. create an "email" account on http://eyedee.me
2. try logging into your wordpress site with firstname.lastname@example.org
This will fail because the issuer of your certificate will be "eyedee.me", not "login.persona.org"
I have added a second patch to my repository to fix this: