On Thu, May 10, 2018 at 2:11 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > TLS 1.3 allows clients to send multiple PSK identities, with the server > choosing one. When, if every, might it make sense for the client to > send multiple session tickets to the server? If this is not expected, > is it sufficiently odd for a server to ignore any tickets after the > first (if that one is not usable)?
NSS only looks at the first PSK offered by clients. That is because we primarily use PSK for session resumption. I think that others do the same. I don't think that it makes a whole lot of sense to attempt to use multiple PSKs in the context of resumption. The option for multiple PSKs is something that is used in pure PSK modes, but I confess to not fully understanding the reasons you might use multiple PSKs. I suspect that they are most useful during a key rollover. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls