In typical client-server communications, a server accepts communications from a client only if that client has successfully authenticated itself to the server (e.g., by presenting valid credentials). When the server has to communicate with an un-trusted client without first authenticating the client, typical systems fail to provide mechanisms for preventing third parties from impersonating the client.
For example, in typical systems, the server receives an identifier associated with the un-trusted client and issues credentials to the un-trusted client. But the server has no mechanism for determining whether the un-trusted client is a legitimate client. A malicious third party, for example, may impersonate, spoof, or otherwise pretend to be the legitimate client by presenting an identifier and receiving issued credentials in return. Such a malicious third party may store corrupted data on the server, or cause other harm.
Further, in typical systems, the server has no mechanism for recognizing that the un-trusted client is a malicious third party, and for reversing any damage caused by the malicious third party.