Seems like a neat hack to find a certificate for an entity that doesn't necessarily publish a PGP key.
However unless the company's primary website is on SSL how is it going to work? Choosing a random SSL secured site under a domain might lead to something outsourced which the original company would find it hard to obtain the private key for. (Even the primary website could be on Akamai and then the company may not have access to the private key.)
If you start requiring a company to provide a specific domain for the key you might as well ask for a PGP key instead and store the PGP encrypted messages.
For the Akamai thing, compare what certs you get for say www.oracle.com and www.akamai.com (I see the same cert).
The CN doesn't match there so that case is a bit different to a third party hosting a valid cert. You probably would want to check for things like this somehow though.
However unless the company's primary website is on SSL how is it going to work? Choosing a random SSL secured site under a domain might lead to something outsourced which the original company would find it hard to obtain the private key for. (Even the primary website could be on Akamai and then the company may not have access to the private key.)
If you start requiring a company to provide a specific domain for the key you might as well ask for a PGP key instead and store the PGP encrypted messages.