Server choice between PSK/PAKE/Certs + client enumeration #21
Description
We already mention that to prevent client enumeration attacks the server should simulate a response if it does not recognize any of the PAKEShares, but does share a PAKEScheme with the client. It may be good to additionally mention that if the client offers multiple key exchange options (e.g. PSK and pake extension) then the server should have a set preference between those two options instead of say, only using the PSK if none of the PAKEShares are recognized. Otherwise there is an additional, slightly different client enumeration attack.