The encoding issue raised by Peter and Peter needs to be very
clear. The current document really handles this by reference, which
is probably not the best.
I suggest the re-write of the 3rd paragraph of section 2.2 to handle
this directly instead of by reference:
If optional authenticated attributes are present, then they are DER
encoded. A separate encoding of the authAttrs field is performed to
construct the authenticated associated data (AAD) input to the
authenticated encryption algorithm. The IMPLICIT [1] tag in the
authAttrs field is not used for the DER encoding, rather an EXPLICIT
SET OF tag is used. That is, the DER encoding of the SET OF tag,
rather than of the IMPLICIT [1] tag, is to be included in the
construction of the AAD along with the length and content octets of
the authAttrs value. If the authenticated encryption algorithm
requires the AAD to be padded to a multiple of some block size, then
the padding MUST be added as described in Section 6.3 of [CMS]. This
padding method is well defined if and only if number of octets in the
block size is less than 256.
Russ