i wonder if I could configure my browser to accept self-signed certificates?

Would have to be with a very noticable warning. Other than that, it could use TOFU like Gemini.

@Hyolobrika
It almost works like that already.
When you open a page on a server with self-signed cert, it gives you a warning, if you accept it, it adds an exception for that cert — you can see the list in preferences under Privacy & Security → Certificates → View certificates → Servers

@Hyolobrika
It also keeps the fingerprints so if you get a different cert on a later visit, it will give you a warning again.
To simplify adding an exception on the first visit you might want to consider this: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert

@m0xee TIL that Firefox does that. Chromium as well?

@m0xee More websites in the software freedom focussed nerdosphere should use self-signed certs and rely on TOFU like Gemini does.

You don't need permission from a certificate authority then, much more independent.

@Hyolobrika @Hyolobrika
Self-signed certs do not provide the capability to revoke them. Imagine that a malicious actor isn't just spoofing the site you trust with their own self-signed cert, but that the private key got compromised. With self-signed certs you have no way of telling users that the already trusted certificate is no longer valid, such a capability implies some sort of infrastructure and infrastructure implies hierarchy as someone has to operate it🤷

Doesn't PGP do that with revocation certificates?
Why can't TLS do the same thing?

@Hyolobrika @m0xee PGP revocation requires that you search the same keyservers for the revocation that they published it to. If they didn't publish it where you'll find it you're screwed.

But yeah theoretically you could have a private CRL server if we could get OSes and browsers to let us configure it