We have a two-way SSL solution that does client certificate authentication on a self-signed client certificate coming from the requesting application installed on the CA API Gateway. That certificate is associated with the local Federated Identity Provider (FIP) user and is equivalent from a security standpoint to using a commercially signed certificate, in our view.

What is CA Technologies' standpoint on this? Does CA agree with the above statement that there is equivalent security using a self-signed certificate as a commercially signed certificate?

The security of a client certificate is premised that a level of trust is established for validation that the client certificate was signed by a trusted source. That trusted source could be an internal CA provider owned by the company, external CA provider, or self signed. Either signed by an internal or external provider the main piece of trust comes from trusting the CA authority used and utilizing CRL/OSCP validation to ensure that even though the certificate has been signed it has not been revoked. With self signed certificates, this functionality is not available so it does not have the same advantage. This functionality can be added by doing what has been done by adding the certificate to a user within an LDAP, Federated, or Internal Identity provider user within the Gateway. If this user gets disabled or deleted then the capability to login will fail.