On a related note, I have patches for the GNUTLS side of things that allows for client certificate support (including CRLs).  I also have ngircd connected to a an OTP solution, which obviously causes issues with the numerous client re-connects.  I ended up implementing an authentication cache to solve that problem as well.  Any interest in both/either?