target = "https://www.rfc-editor.org/rfc/rfc9000#section-7"

# 7.  Cryptographic and Transport Handshake
#
# QUIC relies on a combined cryptographic and transport handshake to
# minimize connection establishment latency.  QUIC uses the CRYPTO
# frame (Section 19.6) to transmit the cryptographic handshake.  The
# version of QUIC defined in this document is identified as 0x00000001
# and uses TLS as described in [QUIC-TLS]; a different QUIC version
# could indicate that a different cryptographic handshake protocol is
# in use.
# 
# QUIC provides reliable, ordered delivery of the cryptographic
# handshake data.  QUIC packet protection is used to encrypt as much of
# the handshake protocol as possible.  The cryptographic handshake MUST
# provide the following properties:
# 
# *  authenticated key exchange, where
# 
#    -  a server is always authenticated,
# 
#    -  a client is optionally authenticated,
# 
#    -  every connection produces distinct and unrelated keys, and
# 
#    -  keying material is usable for packet protection for both 0-RTT
#       and 1-RTT packets.
# 
# *  authenticated exchange of values for transport parameters of both
#    endpoints, and confidentiality protection for server transport
#    parameters (see Section 7.4).
# 
# *  authenticated negotiation of an application protocol (TLS uses
#    Application-Layer Protocol Negotiation (ALPN) [ALPN] for this
#    purpose).
# 
# The CRYPTO frame can be sent in different packet number spaces
# (Section 12.3).  The offsets used by CRYPTO frames to ensure ordered
# delivery of cryptographic handshake data start from zero in each
# packet number space.
# 
# Figure 4 shows a simplified handshake and the exchange of packets and
# frames that are used to advance the handshake.  Exchange of
# application data during the handshake is enabled where possible,
# shown with an asterisk ("*").  Once the handshake is complete,
# endpoints are able to exchange application data freely.
# 
# Client                                               Server
# 
# Initial (CRYPTO)
# 0-RTT (*)              ---------->
#                                            Initial (CRYPTO)
#                                          Handshake (CRYPTO)
#                        <----------                1-RTT (*)
# Handshake (CRYPTO)
# 1-RTT (*)              ---------->
#                        <----------   1-RTT (HANDSHAKE_DONE)
# 
# 1-RTT                  <=========>                    1-RTT
# 
#                  Figure 4: Simplified QUIC Handshake
# 
# Endpoints can use packets sent during the handshake to test for
# Explicit Congestion Notification (ECN) support; see Section 13.4.  An
# endpoint validates support for ECN by observing whether the ACK
# frames acknowledging the first packets it sends carry ECN counts, as
# described in Section 13.4.2.
# 
# Endpoints MUST explicitly negotiate an application protocol.  This
# avoids situations where there is a disagreement about the protocol
# that is in use.

[[spec]]
level = "MUST"
quote = '''
The cryptographic handshake MUST
provide the following properties:
'''

[[spec]]
level = "MUST"
quote = '''
Endpoints MUST explicitly negotiate an application protocol.
'''