Looks interesting. One thing springs to mind reading it – have you played with client-side certificate generation, so the server never sees the client private certificate? Moz has the <keygen> tag and I know IE has a similar-but-subtly-different tag. I was looking for a browser-agnostic way of doing this in rails recently and didn’t find much, but I wasn’t looking all that hard, I must admit.