I'm trying to bring the encryption benefits of MTLS, the security of X509 Name Constraints, and the improvements that have been made in the various clients libraries and operating systems to TLS behavior into a nice group, so that any small company, or even individual, can run their own CA infrastructure that puts the bug enterprises to shame (specifically, https://enroll.visaca.com/ already deserves a lot of shame).
I'm doing so by making it easier to mint certificates for your pods in k8s (https://gitlab.com/gauntletwizard_net/kubetls/-/tree/master), by writing documentation on how to create good root certs with cheap HSM backed keys, updating cfssl to work with name constraints (https://github.com/GauntletWizard/cfssl/tree/ted/constraints), and building tools to issue short-lived certificates to developers.