Document: An Interface and Algorithms for Authenticated Encryption
                      draft-mcgrew-auth-enc-03.txt
Reviewer: Eric Gray
Review Date:  9/21/2007

Summary: 
=======
This draft is nearly ready for publishing as a Proposed Standard.

Comments/Questions:
==================
At several places, the acronym "AAD" is used when it appears as if "AEAD" was intended.  This occurs in the following places:

o First sentence, next-to-last paragraph, on page 6 o Throughout section 3.3 (both paragraphs, bottom Pp 10, top Pp 11) o First sentence, last paragraph, on page 14

One reason why this appears to be the case, is that section 3.3 is entitled "Construction of AEAD Inputs" - but the very first sentence starts "If the AAD input ..."

If AAD is a distinct term, what does it mean?  If it is not a distinct term, well...
_______________________________________________________________________

In section 4, second paragraph, is it possible to assign a P_MAX value of zero in a particular algorithm, and - if so - what does it mean to say:

  "Each AEAD algorithm MUST accept any plaintext with a length between
   zero and P_MAX octets, inclusive, where the value P_MAX is specific
   to that algorithm"

?

Similar questions also apply to A_MAX and N_MAX in the third and fourth paragraphs (respectively) of the same section.
_______________________________________________________________________

In the last sentence of section 5.3.1, "he" should probably be "an attacker" (it is not clear who "he" is) and "ensues" should probably be "may ensue" (a vulnerability does not guarantee an attack).