Reviewer: Adam Montville Review result: Ready Based on my review of this draft I would classify it as "ready" for publication, with some minor caveats that don’t fundamentally undermine its readiness.The draft defines a clear, well-specified mechanism for encrypting the ClientHello. It leverages established cryptographic primitives and preserves existing TLS 1.3 security properties. The threat model is thoroughly addressed with a formal analysis documented in a reference. If it is possible (possibly not in this drat) to offer more detailed operational guidance on key rotation, that would be helpful. There are some points in the document that might allude to implementation-specific configuration choices. Implementations would ideally expose these choices to operators so they can make the best possible choices for their needs. -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
