I like user certificates on the client.
Unfortunately without centralization there’s no means to do things like cert == specific user, ban list, etc.
What happens when you have two user name strings that are the same, but the certs differ? The only answer is centralization.
Why not do both? You can use certificates on the client, with optional central auth, user registry, and banlist. Then MP servers can choose to enable it or not.