Does replacing the values of the nonces in messages 3 and 4 with the cookie values in the headers of these messages, give an attacker any advantage?
The nonce should be randomly chosen while the cookie is generated in a way that the attacker cannot predict. From the attacker's point of view, they might be interchangeable as long as he do not know the local_secret used to generate the cookie.
What is more, according to the RFC the length of the cookie meets the minimal length requirement of the nonce.
Any insights?
