Design an in-handshake retry for trust anchor IDs

[davidben]

This is better figured out post-adoption, but if we could do the retry in-handshake, rather than on a new connection, it would be easier for clients to deploy because the retry could be done inside the TLS stack.

Possible directions:

1. Add a new message, somewhere after the ServerHello, to trigger an extra roundtrip under handshake encryption.
2. Use HelloRetryRequest. The challenge is that ECH did not opt to encrypt HelloRetryRequest, so that might leak information about the target service. We could potentially define some way to start encrypting that.