Faidon Liambotis wrote:
Another reason to do it is because it's the obvious thing to do: -not-required doesn't mean -do-not-check/-ignored, it means "I will not fail if you don't provide it but I will fail if provide one that I can't verify", IMHO.
Checking the certificate only if present and treating it as successful should it not be present adds no real (non-illusory) security over not checking the certificate at all. Leading people to believe that they have some additional certificate-provided level of security when using certificates in conjunction with client-cert-not-required is thus the Wrong Thing as opposed to making it clear that there is no certificate-related security provided when client-cert-not-required is in use.
Also, modifying the code to add an illusory level of security is more work than not having that (illusory-only) security at all.
