Acegi with applet based PKI

In Sweden it's common to use a PKI based system that uses a Java applet and soft certificates (it's called IBM CBT). There is a Java API for the server side, used to delegate the verification and CRL checking to a standalone PKI server.

There is no principal, just a certificate, and the verification will return with surname, given name and a unique ID (In Sweden we use something called Personal number. Everybody has one, and they are unique).

I guess it's like normal HTTPS client certificates, just more complicated.

Is this form of authentication in line with Acegi?

Acegi Security doesn't provide PKI out of the box, although what you describe is very similar to how the CAS integration works. It just uses a dummy principal object when processing the request, and later populates a proper Authentication object that contains the additional information retrieved from the CAS server during ticket validation.

You could certainly implement an AuthenticationProvider that integrated with PKI. If you do get time to do this, I'd certainly be interested in adding it to the CVS code.