This document describes an extension to the TLS protocol to allow TLS clients to authenticate with legacy credentials using the Extensible Authentication Protocol (EAP).
This allows many secure authentication and key exchange protocols to be used for client-side authentication even in an HTTP-based environment, ideally suited for many of the currently discussed identity management proposals.
An IETF draft, called Protocol Model for TLS with EAP Authentication, is available that describes the chosen approach. It shows some similarity with the TLS Inner Application that was published some time ago. An implementation of TLS I/A is available with GNUTLS, see http://lists.gnupg.org/pipermail/gnutls-dev/2005-December/000945.html