Notice how the spec it is based on explicitly rejects using client certs with TLS. This matters because one of the goals of Thali is to NOT provide for third party verifiable communications. In other words I don't want every conversation I have with someone
to turn into a cryptographically authenticated record that can be used against me for the rest of my life. By using TLS with mutual auth we achieve this goal nicely.
Now, to be fair, the spec does say it will support
messaging which achieves the same goal. But now we have to introduce a brand new layer into our apps to support that. What's beautiful about TLS with mutual auth is it 'just works' and our app layer doesn't need to know the details beyond the universal
. But thankfully channel binding isn't magic. If you look at how we handle the principal object in the TDH you will see that we hook it straight into the SSL channel so it has full knowledge of the stack.