It seems like we get ourselves in trouble by allowing multiple external PSKs to be present. If we allowed at most one external PSK in a given ClientHello, then aborting the handshake on binder failure would be the correct choice, as discovering a valid identity would require discovering a valid key/password as well.
Disallowing multiple external PSKs would make migration scenarios a little more annoying, but perhaps not fatally so. -Ben(jamin)
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls