there doesn't seem to be any immediate demand for renegotiation
> support, so it makes the most sense to leave it optional-to-enable
> rather than optional-to-disable.
If you want to protect some parts of your site with client
authentication, then you need to enable insecure renegotiation to
support (not so) old browsers - even latest version of Safari on Mac.
But I agree it should stay disabled by default (most secure).
And client-side renegotiation isn't probably needed as several app
servers do not honour it any way.
Nick
