V6 - Proper/safe MAC usage (in contrast to digital signatures)

[randomstuff]

Should there be a requirement about the proper usage of MAC (in contrast to digital signatures). In particular, if there are more than two participants, MAC is usually not safe.

See for example Differences between Digital Signatures and MACs in the JWS RFC (emphasis mine):

Both signatures and MACs provide for integrity checking -- verifying that the message has not been modified since the integrity value was computed. However, MACs provide for origination identification only under specific circumstances. It can normally be assumed that a private key used for a signature is only in the hands of a single entity (although perhaps a distributed entity, in the case of replicated servers); however, a MAC key needs to be in the hands of all the entities that use it for integrity computation and checking. Validation of a MAC only provides corroboration that the message was generated by one of the parties that knows the symmetric MAC key. This means that origination can only be determined if a MAC key is known only to two entities and the recipient knows that it did not create the message. MAC validation cannot be used to prove origination to a third party.

Note: another problematic scenario mentioned here is when a MAC-ed message send from A to B could be sent again from B to A.

[randomstuff]

As discussed in #2375, this may not be for V6.