Maybe HMAC have the wrong API; if the standard library call took a list of strings rather than a single one, and added separators unambiguously, these flaws would occur less often.

The first one is a key I generated back in 1997 to demonstrate the fingerprint spoofing attack which results from the design mistake that the key component lengths are not included in the md5 hash whch forms the fingerprint in pgp2.x. The fingerprint attack details below [1] (btw. DO NOT USE THE KEY, the fingerprint attack makes it readable by anyone because of the small factors of the replacement N used).