[dvanduzer]

Could you elaborate on what you find meaningful about the authentication a CA provides?

Another neat trick is creating your own CA, and putting your root into the local trust stores of client nodes that you care about. (Be sure to permanently airgap your root key, and create intermediate signers.)

[ds9]

I meant that sending logon + password is somewhat pointless if it's plaintext over the internet, while if you have some encryption going on, someone intercepting the data in transit would have a harder time using it to trick the client or the server. In that sense authentication is more meaningful with a certificate -- even though using a CA still allows interception by a government actor. It narrows the range of those who can "break" the attempted security.

[dvanduzer]

Well, a self-signed certificate still offers that encryption.

None of my arguments about X.509 / CAs are about government actors in particular, though. There are enough root CAs trusted by the major browser vendors that breaches can (and have) happened with minimal resource expenditure.