With more diligence I probably could've answered these from the archives.
But a few questions:
1) I'm surprised S/MIME doesn't use CMSs' digested-data with enveloped-data.
In the case of encrypted but not signed mails, doesn't this leave the
message vulnerable to things like cut-and-paste attacks (where an attacker
reorders ciphertext blocks, so upon decrypting the recipient sees reordered
plaintext)?
2) At some point I thought there was an Internet-Draft for a signed
attribute to address Don Davis' surreptitious forwarding concern. I don't
see it now. Has that been dropped, or has some other fix been incorporated
somewhere?
3) I see that Diffie-Hellman key pairs can be encrypted to, using either
static-static or ephemeral-static modes. It seems like a Diffie-Hellman key
pair should be able to sign as well, using something like a static-ephemeral
mode. Is there a cryptographic reason why this can't/shouldn't be done, or
is it just incidental that it isn't supported?
The reason it seems like this might be useful is that Diffie-Hellman
agreement values can be cached, so a signer could perform lots of signatures
efficiently with such a key pair, which could be useful for something like a
DOMSEC gateway, which may have high volume mail flows and large key pairs.
Trevor