[ahmedtd]

If that's all you want to accomplish, you don't need WebPKI. Just generate a private key and a self-signed certificate.

(This is basically how Let's Encrypt / ACME accounts work)

[ajross]

> This is basically how Let's Encrypt / ACME accounts work

That's how they're implemented. How they "work" is a trivial pushbutton thing as documented by a well-known and trusted provider who cares deeply about simple user experience.

"Just self-sign a cert" is very much not the story XMPP wants their federated server operators to deal with.

[jeroenhd]

How do I convince the tens of thousands of other servers that my private key can be trusted without some kind of third party trust architecture?

There's DANE but outside of maybe two countries that's impractical to set up because DNS providers keep messing up DNSSEC.

[the456gamer]

If you are trusting a user since they are the same one that originally contacted you, you don't. It's tofu

[lmz]

I can't believe this was downvoted. Seriously a Certificate is binding a public key and the attributes (mainly the identity). If you don't need to use the attributes, you don't need a certificate!