Would have to be with a very noticable warning. Other than that, it could use TOFU like Gemini.
@Hyolobrika
It almost works like that already.
When you open a page on a server with self-signed cert, it gives you a warning, if you accept it, it adds an exception for that cert — you can see the list in preferences under Privacy & Security → Certificates → View certificates → Servers
@Hyolobrika
It also keeps the fingerprints so if you get a different cert on a later visit, it will give you a warning again.
To simplify adding an exception on the first visit you might want to consider this: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert
You don't need permission from a certificate authority then, much more independent.
How much vetting does Let's Encrypt do anyway? AFAIK not much.
@Hyolobrika @Hyolobrika
LetsEncrypt at the very least checks that it's indeed you who controls the DNS record — not much and it won't protect you from a malicious hoster (see jabber.ru case), but it might be useful against a malicious ISP and to a degree, a state actor. E.g. in Russia people are encouraged to install a new CA cert, then the state can make ISPs redirect the traffic to a forged website…
@Hyolobrika
…with self-signed cert your first visit might already be to a forged website, making you trust this "fake" cert, but with LetsEncrypt and the website out of the state's reach (not hosted in Russia) — you're safe.