>when attempts were made to push through security-enhancing changes to the Web PKI, CAs would push back on the grounds that there'd be collateral damage to non-Web-PKI use cases

Do you (or anyone else) have an example of this happening?

Why can't Let's Encrypt push-back on this for their users' sake? What is Google going to do? distrust LE certs?

This sounds a lot like the "increasing hostility for non-web usecases" line in the OP.

In theory, Chrome's rule would split the CA system into a "for web browsers" half and a "for everything else" half - but in practice, there might not be a lot of resources to keep the latter half operational.

It is really great how they write "TLS use cases" and in fact mean HTTPS use cases.

CA/Browser Forum has disallowed the issuance of server certificates that make use of the SRVName [0] subjectAltName type, which obviously was a server use case, and I guess the only reason why we still are allowed to use the Web PKI for SMTP is that both operate on the server hostname and it's not technically possible to limit the protocol.

It would be perfectly fine to let CAs issue certificates for non-Web use-cases with a different set of requirements, without the hassle of maintaining and distributing multiple Roots, but CA/BF deliberately chose not to.

[0] https://community.letsencrypt.org/t/srvname-and-xmppaddr-sup...

Isn't LE used for half the web at this point?

Calling Google's bluff and seeing if they would willingly cut their users off from half the web seems like an option here.

I’m disappointed that a competitor doesn’t exist that uses longevity of IP routing as a reputation validator. I would think maintaining routing of DNS to a static IP is a better metric for reputation. Having unstable infrastructure to me is a flag for fly by night operations.