Alternatives to WebPKI

[GIJack]

The Web PKI is great because it comes default with everything. Its not so great because it has quite a few known weaknesses. In addition it only works on the public internet. It's pretty useless on TOR(yes, I know you can get a .onion signed), I2P, VPNs, and LANs

idea:

Optional spec for clients to add certificates per server at config time. This solves the use case of a private server on a private network such as a VPN or LAN.

[RyanSquared]

This is very on the edge of "out of scope" for IRCv3. There's no capability, no stuff changed for the protocol itself. I think this would probably be better for something like ircdocs and (self-promo) ircdocs/best-practices where this client UX could be standardized.

[SadieCat]

Client UI design seems pretty out of scope for IRCv3.

Also, if you're on a private server that isn't internet accessible you can make your own CA and provide root certs for your users to install (or install them automatically if you control the hardware).

[edk0]

I agree that this is out of scope. On a technical note, though, Tor and I2P have network-layer security already; it'd seem redundant to specify a way to use certs on top.