> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to will > require a client certificate. If the request fails to arrive, it's either a > misconfiguration or a compromised server. In either case, the client prefers to > fail and make the user aware of a problem rather than risk compromising > sensitive data with the user unaware that there was unexpected behavior. But as noted, even a compromised server can ask for client credentials and then ignore them. So in your threat model, the client might think it is talking to a legit server just because it asks for a certificate like it's "supposed to". But will happily be exchanging sensitive data with this compromised server.
