[Parodper]

> Allowing user to just generate a domain for themselves

That's limited mostly by policy[1], the current PKI environment already allows delegating CA for a single domain.

[1] https://community.letsencrypt.org/t/sub-ca-with-wildcard-cer...

[PunchyHamster]

Last time I checked support for that on client side was pretty spotty

[tptacek]

There is no support for DANE on the client side!