John,
The ESS I-D eSSSecurityLabels can be different in the inner and outer
signedData layers.
Also, as the ESS text is now, my understanding is that the originators
security label
is mandated
The inclusion of an eSSSecurityLabel is optional.
and must be part of the recipients access control
rules even it the label has no semantics in the receiving domain.
ESS does not mandate what action is taken when an access control error
occurs. That is a matter of local policy.
Those are the two issue I am arguing against.
JR