[snowstormsun]

Certificates also need to be rotated at some time.

[BlackFly]

Yes, just like passwords need to be rotated at some point. Of course in 2023 people have already reconsidered what the practical effect on security of that policy was as opposed to the theoretical effect. Perhaps client certificate rotation would be as unnecessary as password rotation for similar reasons or perhaps automation like for server certificates could be used for similar reason.

[akira2501]

the acme protocol handles this. is there space for an 'email-01' or similar mechanism for client certificate verification?

[growse]

Why are we desparate to jam X509 into every hole, regardless of whether or not it's a good idea?

mTLS for most cases is not a good idea. For the masses, it's certainly not a good idea.