HBrock
commented
1 year ago Currently Section 5.1.3 is structured based on the keys to use for message protection. Here we use KEM keys for message protection and only use a symmetric key indirectly, like with Diffie-Hellmann in Section 5.1.3.2. I would propose to rename Section 5.1.3.1 to focus it more on pre-shared keys and passwords and keep the protection using KEM keys in Section 5.1.3.4.
DDvO
[this issue was carved out of #3]
The HPKE+MAC-based message protection is 'just' another special case of the MAC-based message protection very briefly described in section 5.1.3.1. So IMO all the text of 5.1.3.4 should better move there (strictly speaking, as a subsection of 5.1.3.1, but I'd say we can and should save the extra nesting).