yes, you can create authenticator, but what you are going to check without cluster or bucket object?
the parameters passed through connection string, you cannot create neither bucket nor cluster object without connection string, and it it looks like I need to introduce extra entity (cert authenticator), which will bring the confusion, but after that I have to fight this confusion by throwing exceptions if user still want to pass certificates in the connection string.
I really think that this is just implementation details, because SSL certificates are not really like authenticators, because they have to be provided before initializing the lcb_t instance, and cannot be overriden later (like the SDK says).
Libcouchbase initializes SSL on lcb_create, so it is not possible to use authenticator interface, which set after lcb_create. So all parameters have to be passed through connection string.