Doesn't that depend on how you authorize the client certs themselves?

It's one thing to _issue_ a cert. It's another to _approve_ that issued cert.

If you're blindly accepting certs, you've got other issues.