Why would you want to mix identity verification with the WebPKI? This makes no sense at all. Just because a CA is trusted for web verification doesn't mean it's trusted for identity verification, machine enrollment, or any other purpose. And vice-versa: a CA for identity verification is not in any way trusted for web verification.
I think the idea was to use client certs for strong authentication on the government web services, which didn't rally took off, except maybe in Estonia.
