> Regarding the identity privacy argument: usually, the certificate leaks
> more information (DN, issuer, ...) than the User-Name itself. As it sent
> in clear during the TLS handshake, there is simple way to provide
^^^^^^^^^^
pre-coffee bug : should be "no simple way"