quicwg · martinthomson · Oct 31, 2019 · Jul 3, 2019 · Jul 4, 2019 · Aug 7, 2019
diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
@@ -767,8 +767,7 @@ TLS 1.3 (see {{initial-secrets}}).
 ## Initial Secrets {#initial-secrets}
 
 Initial packets are protected with a secret derived from the Destination
-Connection ID field from the client's first Initial packet of the
-connection. Specifically:
+Connection ID field from the client's Initial packet. Specifically:
 
 ~~~
 initial_salt = 0x7fbcdb0e7c66bbe9193a96cd21519ebd7a02644a
@@ -800,8 +799,10 @@ modifying the contents of packets from future versions.
 The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial
 packets even where the TLS versions offered do not include TLS 1.3.
 
-{{test-vectors-initial}} contains test vectors for the initial packet
-encryption.
+The secrets used for protecting Initial packets change when a server sends a
+Retry packet to use the connection ID value selected by the server.  The secrets
+do not change when a client changes the Destination Connection ID it uses in
+response to an Initial packet from the server.
 
 Note:
 
@@ -811,6 +812,9 @@ Note:
   that the server received its packet; the client has to rely on the exchange
   that included the Retry packet for that property.
 
+{{test-vectors-initial}} contains test vectors for the initial packet
+encryption.
+
 
 ## AEAD Usage {#aead}