client certs?

[Bill Burke]

Any thought to incorporating SSL with client certs into a security protocol?  When client certs are part of the protocol, can you remove the need to bookkeep things like nonces and state?  Isn't there a lot more cool things you could do?  For example, your authz server could provide an signed access token that contained all identities allowed to use that token.  Then when a service receives an access token, it verifies the token's signature, verifies the cert of the connected client, and matches the client cert's identity to one of the authorized identities contained in the token.  In this scenario, it doesn't matter if the token is obtained by a hostile party.  Also, individual services only need public keys of trusted authz servers.