[tptacek]

I go the other way and tell people to ignore KMAC and just use HMAC for everything, and then you don't really need to know about truncated SHA2.

[tialaramex]

Fair, I have no experience with which approach is more likely to prevent naive users from blowing their own feet off in practice.

[tptacek]

My feeling is that like in 2001 it would have been valuable to get people to switch to a non-extendable hash by default because people were freelancing their own MACs, but sometime in the intervening 2 decades people switched fully over to HMAC, so that if you're dealing with someone who is literally writing their own prefixed key hash MAC, you've got bigger problems than Merkle Damgard.