Simon:
I want to raise a few minor concerns/questions.
(1) The specification only employs SHA-1. Should it be extended to include
to SHA-256 in anticipation of 128-bit AES keys?
(2) Does the 1-pass D-H scheme use co-factor multiplication? I understand
that it is possible to do it done with or without co-factor multiplication,
so I am really seeking clarification here. Are there IPR issues regarding
the choice?
(3) Can you say something about the unknown key-share attack on MQV? I
understand that this vulnerability can be avoided by explicit key
authentication. A paragraph in the Security Considerations section should
be sufficient.
(4) Section 3.2.2. "Parity bits adjusted according to the keywrap
algorithm" is rather vague. Please extract the appropriate text from RFC 2630.
Thanks,
Russ