Actually it does work both ways, you can use a certificate that identifies the browser rather than the server to do client authentication.