quicwg · martinthomson · Aug 4, 2020 · Jul 14, 2020 · Jul 14, 2020 · Jul 14, 2020
diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
@@ -913,9 +913,9 @@ QUIC packets have varying protections depending on their type:
   and integrity, using keys and algorithms negotiated by TLS.
 
 This section describes how packet protection is applied to Handshake packets,
-0-RTT packets, and packets with short headers. The same packet protection
+0-RTT packets, and 1-RTT packets. The same packet protection
 process is applied to Initial packets. However, as it is trivial to determine
-the keys, Initial packets are not considered to have confidentiality or
+the keys used for Initial packets, these packets are not considered to have confidentiality or
 integrity protection. Retry packets use a fixed key and so similarly lack
 confidentiality and integrity protection.
 

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
@@ -1177,8 +1177,8 @@ expected keys are available.
 
 Invalid packets that lack strong integrity protection, such as Initial, Retry,
 or Version Negotiation, MAY be discarded. An endpoint MUST generate a
-connection error if processing of the contents of these packets prior to
-discovering an error resulted in changes to the state of a connection that
+connection error if processing the contents of these packets prior to
+discovering an error resulted in changes to connection state that
 cannot be reverted.
 
 
@@ -3165,10 +3165,10 @@ section includes an overview of the protections that are provided.
 Version Negotiation packets have no cryptographic protection; see
 {{QUIC-INVARIANTS}}.
 
-Retry packets use an authenticated encryption with associated data (AEAD;
-{{?AEAD=RFC5116}}) function to protect against accidental modification.
+Retry packets use an authenticated encryption with associated data function
+(AEAD; {{?AEAD=RFC5116}}) to protect against accidental modification.
 
-Initial packets use an AEAD with keys that are statically derived. This does
+Initial packets use an AEAD with keys that are derived using a value that is visible on the wire, and therefore does
 not provide effective confidentiality protection. Initial protection exists to
 ensure that the sender of the packet is on the network path. Any entity that
 receives the Initial packet from a client can recover the keys that will allow
@@ -3182,8 +3182,8 @@ protected with 0-RTT and 1-RTT keys are expected to have strong confidentiality
 and integrity protection; the cryptographic handshake ensures that only the
 communicating endpoints receive the corresponding keys.
 
-The Packet Number field that appears in some packet types contains a packet
-number, which has additional confidentiality protection that is applied as part
+The Packet Number field that appears in some packet types
+has additional confidentiality protection that is applied as part
 of header protection; see Section 5.4 of {{QUIC-TLS}} for details. The
 underlying packet number increases with each packet sent in a given packet
 number space; see {{packet-numbers}} for details.