[Cryptography] Why is a short HMAC key zero-padded instead of hashed?

[Jerry Leichter]

> 
>> Ironically, the listed authors of the RFC are actually the same as the
>> authors of the original paper!  Were they actually involved at the point the
>> final algorithm was decided?  Or was it some late editorial decision by some
>> committee somewhere?
> 
> https://www.ietf.org/mail-archive/web/cfrg/current/msg08951.html
> 
> It's just standard standards politics, no evil conspiracy or anything.
Well ... I'm glad that in this case it was possible to track things back.

My concern was never with the particular bit of the standards.  It was, and remains, with the process.  Until the last couple of days, how many people in the world even knew that HMAC as officially standardized, was not the same as HMAC, proposed and proved secure?  Surprised the hell out of me!  What other little surprises are sitting there, in the open but effectively hidden, because who has the time to cross-check everything?

BTW, if you really want to be paranoid ... a question does remain:  Why did the IKE guys feel the need to push their particular construction into HMAC this way?  Had HMAC been standardized to accept only keys no longer than the block length, they could have simply defined IKE with trivially different language to construct an HMAC key from the passphrase, then apply the standard HMAC.  Why diddle with one standard to make the wording of another one slightly simpler?

                                                        -- Jerry