Any chance you will consider adding authentication via a X.509 certificate as an additional option on stackexchange? It sure seems like this should be pretty easy to implement. It seems like it should be as useful for proving the identity of someone as trusting 3rd party identity providers, or cookie based authentication. You already support multiple authentication providers adding another should be easy.
Just setup a page, which requires a certificate. If you have never seen the public certificate before, ask the user if they wish to associate the certificate with an existing account or create a new one, store the certificate for future logins. If you have seen the public cert before, then look up the account details and log the user in.
I would suggest that you should not care about what CA the certificate is signed by. Just accept any certificate signed by any CA, or self-signed. If you don't spend time trying to verify anything to do with CAs, certificate based auth basically just becomes trust on first use.