no said that public-key based client authentication was not possible.
it is a perfectly reasonable idea.
they said that it has not established any significant track
record of use.
blithely relying on a public key infrastructure ignores approximately
15 years of failure to get one deployed and used on any large scale.
Last time I looked VeriSign was making over a billion dollars in revenue,
a significant portion of which comes from operating a large scale PKI.
I suspect that the reason that people falsely believe that PKI does
not exist is that they have no clue what a PKI really looks like. They
are still waiting for something that looks like Loren Kohnfelders
masters thesis of 1979, a thesis that was questioning the practicality
of running anything that looked like todays DNS, a reasonable question
at the time.
What is needed need here not involve certificates at all (except to
the extent that you might need to create self signed certs to have
something plug compatible with existing protocols).
If all you need to do is to authenticate a public key to a DNS name
you might as well use the DNS as a key distribution infrastructure.
The point of an SSL Web site certificate is that if you want to
accept ecommerce payments you need to establish rather more than
mere ownership of a domain name.
Phill