How does SCaaS handle certificates?

SCaaS utilizes User certificates primarily for identification not authentication.  These certificates do not have any native ability to unlock anything.  All privileges and roles are dynamically applied.  This means a User and Device are first identified using a Certificate and Password.   Once identified, a drop down list is presented with the Services available for the User and Device.  Certificates (Devices) can be dynamically / at-will enabled.  This is especially useful for intermittent or emergency access requirements.  There is no need for Certificate Revocation lists or short Certificate life spans.  If a Device is lost it is simply deleted in the Administration Panel and it will never have access again.