Hi, After having reviewed version 07, I have only one (minor) nit for version 8, you write: KDF: A key derivation function is a one-way function that provides cryptographic separation of key material. The KDF MAY use inputs from the row in the key table and the message being sent or received but MUST NOT depend on other configuration state. I wonder whether that definition is correct. I have always considered forwarding secrecy a desirable but not necessary property for KDF's. For example the key may not have the necessary properties so a transformation may be needed (could be as simple as padding until a certain length). But if you can point me to a definition that includes one-way I stand corrected. Klaas