> If the key mgmt mechanism doesn't already understand this difference, > then it already has much bigger problems, IMHO. Ran, could you elaborate on this remark? Why should not the key management essential information be restricted to identifier, number of bits of key, key? This seems like a clean way of separating key exchange from key use.