> It is not clear what threat model warrants taking special action when the client > certificate is not requested. It could equally be requested and then largely > ignored. A client in a highly secured network knows that every server it connects to will require a client certificate. If the request fails to arrive, it's either a misconfiguration or a compromised server. In either case, the client prefers to fail and make the user aware of a problem rather than risk compromising sensitive data with the user unaware that there was unexpected behavior.
