On Thu, Apr 22, 2021, at 14:11, Watson Ladd wrote: > With TLS 1.3 we finally added domain > separation to what is signed, but one hopes protocol X does the same > but different.
Good catch Watson. This is an important assumption to state. Opened: https://github.com/quicwg/version-negotiation/issues/36 > The other wrinkle is that so far with TLS we've had a pretty uniform > idea of how transport parameters feed into the handshake, and thus > assurance that they are actually implicitly authenticated by the > finished messages and agreed upon. With an alternate handshake that > goes away. I think that we have this one covered at least. We require that the cryptographic handshake authenticate the transport parameters: https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-7-3.2
