We are in the process documenting the details of both good and bad client authentication schemes. You can already obtain most of this information from our tech report. Cleaner HTML will appear here.
Note that we have long since notified the sites with insecure schemes. Most have chosen to implement better or different schemes.