There remain two questions:
whether the CBC feedback will be around each of the three DES instances or
will be a single feedback around the chain of three DESs;
whether the IV(s) should be carried under the RSA key or given in the open.
I would advocate having three feedback paths, three IVs and encrypting them
along with the three keys. I know that current practice is to give the
single IV in the clear (whose suggestion was this?) and that after the 1st
8 bytes, the IV is immaterial -- but 3 IVs cover the first 24 bytes of
message, enough to cover the low entropy start of the output of a decent
compression algorithm. [I know that we're not compressing today but that
doesn't mean we never will, I hope (on performance grounds, not merely on
security grounds).]
- Carl