The Corda introduction to consensus says "uniqueness consensus is provided by notaries."

Are we saying that without a notary that it would be possible for A to convince B to commit a transaction to its ledger involving a state X as an input and at the same time, or later, convince C to commit a different transaction involving X to its ledger?

In this situation the ledger of A would be inconsistent with that of C (or B or both depending on what transaction, if any, it chooses to commit) and A would have created a situation that is inconsistent now and can never become consistent between A, B and C.

Presumably, the Corda framework tries to prevent this kind of thing as far as possible, so is this all about honesty? I.e. we're talking about the situation where A completely subverts its own infrastructure, i.e. doesn't use Corda as intended, and lies in all the messages it sends other parties?

Update: this question was initially asked due to my mistaken belief that notaries were an optional element of a Corda system. They are not, but their involvement may be optional for particular transactions, e.g. ones that involve no input states (and therefore by their nature have no double-spend issue).

The important thing that @joel makes clear in his answer is that the double-spend issue can also be a problem even if all parties trust each other, i.e. no malicious behavior is expected.

Once a party in Corda determines that validity consensus has been reached for a transaction it can immediately commit the transaction to its own ledger, i.e. it does not first try to reach some kind of additional BFT style consensus with the other parties that they can and will definitely commit the transaction to their respective ledgers as well.

So in the above scenario A could honestly/mistakenly propose two different transactions to B and C. B and C would both reach validity consensus on their respective transactions and commit them to their own ledgers with A only being confronted with the double-spend issue when it afterwards tried to commit the second of the two transactions to its own ledger.

The notary avoids such situations (whether the result of malicious intent or not).

There are two reasons you need a notary:

• Malicious nodes: A node purposefully extracts a consumed state from its vault, consumes it in another transaction, and sends the transaction to a counterparty who didn't see the original transaction
• Race conditions: Two nodes simultaneously propose transactions consuming the same state