It was pointed out to me that the header protection in QUIC and DTLS 1.3 are different in a non-useful way:
https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#hp-chacha says that the first 4 bytes of the sample are the counter, i.e., `counter[4] || nonce[12]`. DTLS 1.3 says that the last four are, i.e., `nonce[12] || counter[4]`. This seems like a pointless difference that will only cause pain. I suspect that the right answer is that QUIC is wrong here, but I want to highlight this issue and want to ensure that this doesn't get baked in before we resolve it. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
