AF> I've already expressed my ideas, but here's a summary:

 AF> 1. STARTTLS is the best option because:

How do you encrypt the metadata that is sent on connection? Can STARTTLS
negotiated before node infos are sent? Will this add another roundtrip?

Direct TLS will give us a quick path to QUIC, which would reduce connection
times instead of making the protocol slower.

 AF> 2. For any kind of TLS something must be decided on certificate
 AF> authority.

Or don't us a CA. There is DANE, TOFU and we still have the encrypted session
password for authentication ...