[tjoff]

How is that no prior configuration on the client side?

[jzwinck]

Clients could use the same certificate for every server, so there is only a one-time setup. Analogous to how clients need to be "configured" with an IP address, the certificate could be given to them by their internet gateway if desired.

[tjoff]

Yeah, and in what universe could that work? I need directions.

Seems far simpler to send a physical mail to the service operator who then hardcodes the IP in the server.

Or, maybe do a handshake once and cache it for X amounts of time whatever makes sense for that service.