target = "https://tools.ietf.org/rfc/rfc8446#E.1.1"

# E.1.1.  Key Derivation and HKDF
#
# Key derivation in TLS 1.3 uses HKDF as defined in [RFC5869] and its
# two components, HKDF-Extract and HKDF-Expand.  The full rationale for
# the HKDF construction can be found in [Kraw10] and the rationale for
# the way it is used in TLS 1.3 in [KW16].  Throughout this document,
# each application of HKDF-Extract is followed by one or more
# invocations of HKDF-Expand.  This ordering should always be followed
# (including in future revisions of this document); in particular, one
# SHOULD NOT use an output of HKDF-Extract as an input to another
# application of HKDF-Extract without an HKDF-Expand in between.
# Multiple applications of HKDF-Expand to some of the same inputs are
# allowed as long as these are differentiated via the key and/or the
# labels.
# 
# Note that HKDF-Expand implements a pseudorandom function (PRF) with
# both inputs and outputs of variable length.  In some of the uses of
# HKDF in this document (e.g., for generating exporters and the
# resumption_master_secret), it is necessary that the application of
# HKDF-Expand be collision resistant; namely, it should be infeasible
# to find two different inputs to HKDF-Expand that output the same
# value.  This requires the underlying hash function to be collision
# resistant and the output length from HKDF-Expand to be of size at
# least 256 bits (or as much as needed for the hash function to prevent
# finding collisions).

[[spec]]
level = "SHOULD"
quote = '''
This ordering should always be followed
(including in future revisions of this document); in particular, one
SHOULD NOT use an output of HKDF-Extract as an input to another
application of HKDF-Extract without an HKDF-Expand in between.
'''