You wrote:
I just became aware of RFC 6979 "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)" (Informational).
I think determinstic signatures are a good thing, and using the secret key also as a HMAC key to generate the random input is a natural idea.
I agree.
But then one could arrange the details in many different ways. Is the method in RFC 6979 a good way?
I suspect it is "good" in the way that it is used in a couple of places, and nobody has proven it to be a bad way yet. Those are weak arguments.
It seems RFC 6979 uses HMAC_DRBG? You could use HKDF (RFC 5869) instead to derive the key, I think, but it is also based on HMAC.
After a quick reading, the steps c. and d. (Sec. 3.2) seems questionable; HMAC with a known constant key just seems more complicated than a simple hashing operation, and no more secure.
I know it is generally the wrong question to ask, but anyway: Could it be less secure? HMAC has some properties that goes beyond the underlying hash functions. For example, HMAC-MD5 is still considered secure (I believe) even though MD5 is broken.
However, I also suspect a time will come to find weaknesses in HMAC: it is so ubiquitiously used (nice target for a crypto paper), there are modern alternatives with a more scientific design (= suggests weaknesses in earlier design), and generally the HMAC design is rather 1980ish with hard coded magic numbers, so there is bound to be weaknesses -- side channel leakage or weak keys or whatever? I've been surprised that there has been so little results/studies on HMAC in recent years. That could also mean HMAC is perfect, of course. :-)
/Simon