Here are a few comments on DSSC. I'll send an off list email with some editorial comments.
- In section 4.1, the fifth element in the sequence should be named SuitableAlgorithm to be consistent with the schema in Appendix B
- The draft should provide some guidance regarding constraints. For example, should one define key size constraints per public key algorithm or per each signature algorithm? For policy brevity, the former would be better. Perhaps an alternative would be to bind constraints and validity periods within SuitableAlgorithm.
- Section 5 should include processing for constraints.
- The spec should prohibit including multiple instances of the same algorithm identifier w/ the same constraints.
- If an ASN.1 version is to be produced, using an enveloping signature would make the mapping to CMS easier.
- The assumption in Section 3.2 that one must find an old policy in order to determine if an algorithm was valid at a point in the past is too complicated. Suitability definitions should accumulate in a single policy definition. An enterprise could maintain several policies. For example, one complete, one current and one past policy could be maintained.