On Sun, Mar 18, 2018 at 03:24:02PM +0000, Lanlan Pan wrote: > Benjamin Kaduk <ka...@mit.edu>于2018年3月14日周三 上午10:02写道: > > > It seems like we get ourselves in trouble by allowing multiple > > external PSKs to be present. If we allowed at most one external > > PSK in a given ClientHello, then aborting the handshake on binder > > failure would be the correct choice, as discovering a valid identity > > would require discovering a valid key/password as well. > > > > Disallowing multiple external PSKs would make migration scenarios a > > little more annoying, but perhaps not fatally so. > > > > what about each external PSK's survival time ? > > It seems should be updated in period.
It should, but that has always been the case and nothing has changed in that regard in TLS 1.3 vs TLS 1.2. (In practice, they are not, and nothing we say in the document is likely to produce substantial change in that regard.) -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
