One of the comments raised during WG LC noted the difference between the RFC
3278 and NIST SP800-56A KDFs. RFC 3278 was hash(Z || counter || otherinfo)
and SP800-56A is hash(counter || Z || otherinfo). I think we need to
maintain backwards compatibility and *not* use the NIST SP800-56A KDF and
revert back to the KDF used in RFC 3278. Do others agree/disagree?
If we revert back, we'd make the following changes:
#1 - the last two paragraphs in Section 7.2 will refer to Section 3.6.1 of
[SEC1] instead of 6.3.2 of [SP800-56A].
I don't want people to miss this so...
#2 - We should amend the two sentences in 3.1.2 and 3.1.3 to say:
The sending/receiving agent performs the key agreement operation of the
Elliptic Curve Diffie-Hellman Scheme specified in [SP800-56A] or [SEC1]; in
either case, use the KDF defined in Section 3.6.1 of [SEC1].
#3 - We should amend the two sentences in 3.2.2 and 3.1.3 to say:
The sending/receiving agent then performs the key deployment and key
agreement operations of the Elliptic Curve DH/MQV Scheme specified in
[SP800-56A], but uses the KDF defined in Section 3.6.1 of [SEC1].
#4 - We should add a new Section 7.1.6 titled Key Derivation Algorithm. The
section will have one sentence: "The KDF used in this document is as
specified in 3.6.1 of [SEC1]."
spt