Yeah I think we incorrectly assumed that GMAC offers preimage resistance when the key is known. You’re right, that text is wrong. Luckily it doesn’t impact the protocol guarantees, since QUIC isn’t resilient to active attackers causing handshakes to fail
This is a low-value target. Prior to that spec change, retries were trivially forgeable. The intent here was to make that harder while minimizing computational requirements. Retries are sent when a server is under load so they need to be incredibly cheap to generate
Proud to have co-signed a letter with Vint Cerf and many others denouncing France’s plans to monitor and censor the Internet without warrants medium.com/@vgcerf/concerns-over-dn...