Gemini is designed to use a TOFU approach to TLS. As such, capsules using a centralized certificate authority should be the exception and not the rule (it isnt against the spec to do so, but it is against the spirit of the spec). As such, mcross should accept self signed certificates and actually use a TOFU security model for how it handles things. At a minimum it shoudl handle the self-signed certs, since it gemini is mostly unusable without doing so.
Agreed. Admittedly I went with only accepting CA-certified sites simply because that took the least amount of work to get an MVP going. I'll eventually get around to trust-on-first-use TLS - it's on the feature checklist.
FWIW I turned off cert validation for now. I'll figure out how to do TOFU TLS on python Soon (tm).