Robert,
Thanks for your quick and thoughful consideration of the comments. Your
responses look good; we've a residual content-level observation to make on
only one item:
[Sec. 4]
Re: "This isn't clear to me. For example, if an attacker modified both
public keys to be yb=ya=1 and the parties authenticated each other over a
telephone conversation in which they read out the agreed upon key. Now, they
will both agree on the same key and they will have a certain level of
authentication, but the attacker will be able to eavesdrop. Thus, it is
important that each party's *public key* be authenticated, which is the
point I was trying to make with this section. However, I agree that the way
things are presently worded may be misleading. I will change the first
sentence of the second paragraph to "In some ephemeral-ephemeral key
agreements protection may be required for both entities." "
Good points. As you observe, E-E gives an attacker more flexibility since
both parties' public keys can be changed and they can be coerced into
computing the same key from a small space. In E-S, only the sender's public
key can be changed, and only the recipient can be coerced by an outsider
attacker into computing a key from a small space. While this may be
apparent, it seems useful to state explicitly for purposes of clarifying
comparison.
[Sec. 3, minor editorial]
Re: How about if I add a sentence following the first paragraph of Section 3
stating "Implementer's should note that some of the procedures described in
this section may be the subject of patents or pending patents."
"Implementer's" -> "Implementers".
--jl