Section 3.2.4: I find the notation confusing: hostA d-key(A)=(key-a+key-b).
Further, the use of "-" as part of the variable name is easy to confuse
with a math operator. I suggest that the paragraph be reworded to show
how to compute key_d_a and key_d_b, which also avoids the key names
looking like functions. Maybe:
Key Material is exchanged in plain text between hosts, and the key
parts (key_a, key_b) are used to generate the derived key (key_d)
by concatenating the two parts with the local key in front.
That is, key_d_a=key_a+key_b, and key_d_b=key_b+key_a.
If you accept this comment, then you might define the following:
* HMAC(A) = HMAC-SHA256(key_d_a, message)
* HMAC(B) = HMAC-SHA256(key_d_b, message)
Addresses ART review comment: