Isn't this how TLS itself already works? "trust on first use"?

Not in current practice. That is why you have to get a certificate from a trusted CA. If your CA isn't in the browser's cert database they will reject the connection even on the first time. If browsers allowed TOFU we would still be able to use self-issued certificates, without manually distributing certs to anyone that uses your service.

SSH is an example of TOFU.

	▲	majorchord 3 hours ago \| parent [-]
		> we would still be able to use self-issued certificates You still can... it just displays a warning message on first use, as does ssh.

▲

treyd 5 hours ago | parent | prev [-]

With PKI you're trusting a certificate chain up to a CA you already trust, by way of your OS or browser vendor.

A domain can layer on HSTS to that, which directs clients to additionally refuse to trust a new cert for a domain until the one you currently trust has expired.

	▲	scheub 3 hours ago \| parent [-]
		That’s not what HSTS does. It asks the client to remember that you want to only use TLS for that domain and refuse to use unencrypted HTTP in the future.