Thoughts about TOFU and gemini URLs

Sorry for not posting for many months. I was busy with finding a new job and reinstalling rasbian, since some packages on my bullseye got too old.

I thought about alternative to how to provide some semblence of trust that certificate was in fact created by authour of capsule without centralized points of authority: embedding fingerprints into gemini URLs in place of userinfo component. This way validity of certificate would be determined not by luck or by capital, but by community consensus. It seems to me that it is much harder to modify not only every single certificate, but also to keep track of how they were modified.

But there is a flaw in this idea: tls certificates are mandated to expirie at some point. Sure, one could set them to expire at some absurt point in the future since there is no Certificate Authority to dictate its policy, but it seems dirty to me. Perhaps there is such a thing as perpetual x509 certificates or gemini could move to ssh (yeah, sure) or we could all agree to just ignore expiration in clients, but I am not sure which is better and if any of these choices are better that status-quo.