Having it a configuration setting is the compromise I’ aiming at, but ya know, you only get the half of what you say you want
I’m unsure a custom CA would solve anything that wouldn’t be solved by automagically appending CAcert’s root to the system bundle.
For the man-in-the-middle attacks, be aware that for Diaspora they wouldn’t mean a total breach unless you put them in place for the very very first moment and already fake the public keys in the profiles. Everything that’s send unencrypted is public data anyway, one could “only” gather who is talking privately with who and how frequently does he do that. Not saying this isn’t data we should protect, but it is one we can protect less strongly IMO.