Separate spec and discussion

[huitema]

We may want to reuse EKR's email about threat model, and then explain how the design solves the various threats:

THREAT MODEL This leads us directly to the question of the threat model. I assume that we have what I termed a Class (3) attacker, which can inject packets and will always win the race but cannot delete packets. With that, you get the following pattern:

Client                  Attacker                Server

CInitial ->
                        CInitial' ->
                        CInitial  ->
                                           <- SInitial
                        <- SInitial'
                        <- SInitial

CHandshake ->
                        CHandshake ->

Our objective is to have the handshake survive this treatment. In an ideal world, we would cause the server and client to reject X' and process X but this isn't possible, with the design you suggest, because the attacker can always take CInitial, replace the CRYPTO frames with his own and then send it to the server, computing a new MAC based on his Zx. Note that this won't necessarily have the right ESNI but that doesn't matter, because it will have the same [SC]CID, and so will cause cause CInitial to be discarded when it is received. As far as I can tell, your current design does not prevent this. If I'm missing something here, let me know [0]

[kazuho]

@huitema Does #12 close the issue?

[huitema]

Yes it does.