I certainly agree it's an admirable goal and would be nice. I'm just pragmatically realizing that Let's Encrypt is a small operation and just can't do everything. It might be helpful if there were a group of people (maybe XMPP/Matrix/SIP server operators, I guess) working on a private PKI (and maybe not just for trying to secure the server end, but also for related client auth use cases), to battle-test what's involved in proper validation and creating these certificates for these use cases as well as in getting client software to recognize these SRV-ID names. If there are working solutions with a private PKI, then I think it's more likely that it could get integrated into the broader public Web PKI.
4 Likes