I'm behind on this! But let me comment on the stuff that got merged recently. "prop224: Remove the MAINT_INTRO feature." "prop224: Clarify backwards compatibility sections slightly." "prop224: Clarify use of shared random values." "prop224: Fix undefined variables in the ntor section." Looks ok. "prop224: Add missing key expansion section for rendezvous crypto." KDF-Tor is a legacy algorithm, and we want to get away from SHA1. We don't use KDF-Tor with NTOR. Let's kill it for new use. I'd suggest HKDF-SHA256 or SHAKE, both of which we have implemented already. "prop224: In cells, replace TYPE/LEN/KEY with just TYPE/KEY." I'm not sure about this change. If we ever add a third key type, all of the cells will be unparseable. "prop224: Various improvements." There's no point in using HKDF with SHAKE; we should just use SHAKE as the KDF.