In `[HS-DESC-FIRST-LAYER]` of `rend-spec-v3.txt` it says: The first layer of HS descriptor encryption is designed to protect descriptor confidentiality against entities who don't know the blinded public key of the hidden service. However the HSDir does know the blinded public key, as that's part of the `descriptor-signing-key-cert` described in `[DESC-OUTER]`. Should the above quote instead be "...against entities who don't know the _public identity master key_ of the hidden service"