Dear WG, After the meeting I was thinking through the security of version negotiation and I realized that there is a wrinkle with the way TLS and QUIC are layered, and proposals such as noise-QUIC. And that wrinkle is that while TLS is secure, and noise-QUIC is secure, nothing says that they are secure together when using the same PKI information or negotiate well together. With TLS 1.3 we finally added domain separation to what is signed, but one hopes protocol X does the same but different.
The other wrinkle is that so far with TLS we've had a pretty uniform idea of how transport parameters feed into the handshake, and thus assurance that they are actually implicitly authenticated by the finished messages and agreed upon. With an alternate handshake that goes away. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
