From @squarooticus:
§ 7.1 is going to trigger some folks who have ETM (encrypt-then-mac) on the brain to avoid leaking information, so some reassurance that the packet hashes are in the encrypted stream would probably suffice to prevent this reaction.
Response from Jake:
I guess the flow here if the hash is on the encrypted packet is:
hash the packet with the channel's hash algorithm
decrypt the packet (or at least the header) so you have the packet number
check the hash, reject if it doesn't match
parse the packet and accept it (provided it doesn't trigger protocol errors, etc.)
From @squarooticus: § 7.1 is going to trigger some folks who have ETM (encrypt-then-mac) on the brain to avoid leaking information, so some reassurance that the packet hashes are in the encrypted stream would probably suffice to prevent this reaction.
Response from Jake:
I guess the flow here if the hash is on the encrypted packet is:
Would that work better?