The certificate does not need to come from somewhere if it is self signed. I’m talking about an untrusted unauthenticated but encrypted connection. Encryption is beneficial even if it conveys no other security other than the encryption itself. I am not talking about a full blown PKI infrastructure with trust.
Clients and relays could use Diffie–Hellman key exchange to encrypt traffic between each other without the need for PKI at all, which would reduce the load. Encryption alone would not prevent man-in-the-middle attacks, but it is still preferred over no encryption at all.
I’m basically asking for something between authenticating relays and regular relays. An option to enable optional encryption on certain relays without the need to authenticate the client’s certificate.
The authenticating relays authenticate the client to make sure that the client is allowed into the system.