It seems like we get ourselves in trouble by allowing multiple
external PSKs to be present.  If we allowed at most one external
PSK in a given ClientHello, then aborting the handshake on binder
failure would be the correct choice, as discovering a valid identity
would require discovering a valid key/password as well.

Disallowing multiple external PSKs would make migration scenarios a
little more annoying, but perhaps not fatally so.


Attachment: signature.asc
Description: PGP signature

TLS mailing list

Reply via email to