> Automatic certificate selection doesn't work then, as no realm concept
as in baseauth exists.
That's not true. If a server requests a client certificate, it has to
send a list of "acceptable" CAs. The client is supposed to use a cert
that is signed by one of those. If you plan your environment carefully
automatic selection can work (except for IE which apparently is too dumb
to heed the acceptable CA list and always shows all certificates to to
I agree with most of your other points. Setting up proper
authentification via client certificates is a complicated mess.