I have some comments on rfc2633bis-00. I hoped to get to this document
sooner, but the RSA Conference last week was quite hectic.
Title Page. Please add a line to the heading that indicates that this
document, when approved, will obsolete RFC 2633.
Overall. Please change "draft" to "specification." This will avoid a
bunch of last minute changes when we want to progress from Internet-Draft
to Standards-Track RFC.
Overall. Please change "content encryption key" to "content-encryption
key" to harmonize the terminology with RFC 2630 (and RFC 2630bis).
Overall. Please change "privacy" to "confidentiality" throughout the
document to align with the definitions in RFC 2828. In each case,
sentences will require slight rewording.
Section 1. Please add a subsection that describes the changes since RFC 2633.
Section 2.5, 2nd paragraph. The formatting got messed up. Please turn
into a list of bullets.
Section 2.5.1, 1st paragraph. Please delete references to trusted
timestamping services. If you wish, add a section that references the
attributes associated with such a service.
Section 2.5.2, 6th paragraph. Please fix the URL by removing the extra space.
Section 2.7.1. Please line up the bullets that begin the 3rd and 4th
Section 3.1. The current wording (rightly) prevents the encryption of RFC
822 header. However, there should be some discussion about the protection
of this header information. There was a very long discussion of this topic
on the list, and the conclusions need to be documented here.
Section 5. Please replace the "[TBD]" with a sentence of warning about the
Million Message Attack and a reference to RFC 3218. Similarly,
implementors of Diffie-Hellman should be warned about small subgroups and
given a reference to RFC 2785.
ASN.1. Several of the types defined here are already in cmsalg. We should
trim the module to the minimum set of types.