Draft NIST SP 800-56 and KDFs

Dear S/MIME WG:

Last month, I reviewed the draft NIST SP 800-56.  I sent in some comments 
about the requirements and the impact to Key Derivation Functions (KDFs) 
used in the S/MIME documents.  I choose to focus on RFC 3278 in my 
comments, but I believe that the issues relate to all of the key agreement 
key management documents.
NIST SP 800-56 (and the other documents in this series) are important to 
implementors that want to have FIPS 140-2 validation of their products.
Earlier this week, I met with some folks from the U.S. Government about my 
comments.  I got some very clear guidance regarding the inputs to the 
KDF.  There are two cases to consider: static public keys and ephemeral 
public keys.
When a static public key is used, one of the inputs to the KDF must be an 
identifier that is bound to the static public key.  This could be an 
identity from the certificate that contains the static public key, a hash 
of the certificate, or the whole certificate.  In S/MIME, the email address 
seems like a very natural choice, but this may not be the best approach in 
other CMS contexts.
When an ephemeral public key is used, one of the inputs to the KDF must be 
an indicator that an ephemeral public key was used.  The idea is to clearly 
designate that an ephemeral public key, as opposed to a static public key, 
was used.  The identifier in this case can be a constant, such as the ASCII 
string "ephemeral public key."  Of course, any constant would be acceptable.
With this guidance in hand, I would like to discuss the best form of 
identifier for CMS.
Russ