In Sweden it's common to use a PKI based system that uses a Java applet and soft certificates (it's called IBM CBT). There is a Java API for the server side, used to delegate the verification and CRL checking to a standalone PKI server.
There is no principal, just a certificate, and the verification will return with surname, given name and a unique ID (In Sweden we use something called Personal number. Everybody has one, and they are unique).
I guess it's like normal HTTPS client certificates, just more complicated.
Is this form of authentication in line with Acegi?