Sean:
Minor nits (and maybe showing my lack of understanding):
Sections 1.4 and 1.5 refer to the outputs as a ciphertext and an
authentication tag. Can we add the following parenthetical to the 1st
sentence of the last para in 3 to tie the two paras together?: ... "for the
AuthEnvelopedData mac field (i.e., the authentication tag)." The
authentication tag is referred to in AuthEnvelopedData ID.
I changed the algorithm descriptions in 1.4 and 1.5 to provide the
linkage. It now says:
AES-CCM/AES-GCM generates two outputs: a ciphertext and message
authentication code (also called an authentication tag).
Also 1.4 and 1.5 say there are four inputs to the process and the last para
of 2.2 of the AuthEvelopedData ID says there's 3. There's no reference to
the nonce. Is the nonce just part of the random content encryption key?
AES-CCM and AES-GCM require a nonce. This is carried in an algorithm
parameter, so it is not really described in the AuthEnvelopedData
document. If one was to turn AES Key Wrap into an authenticated
encryption mode, it would not need such a nonce.
I have added the missing piece of information to the 3rd paragraph of
sections 1.4 and 1.5, which now read:
The nonce is generated by the party performing the authenticated
encryption operation. Within the scope of any
authenticated-encryption key, the nonce value MUST be unique. That
is, the set of nonce values used with any given key MUST NOT contain
any duplicate values. Using the same nonce for two different
messages encrypted with the same key destroys the security properties.
Russ