A cert, like X.509, binds an identity to a device; whereas a circle tie is linked to a mobile device via the application. The same cert (and, unless exceptional steps are taken, it must be used on every device generating or reading email for that email address) may be used on many devices.

As a result, possession of the cert is sufficient to impersonate that email address since virtually all X.509 certs are password protected in order for this exploit to work.