Encryption Key Derivation in the Cryptographic Message Syntax (CMS) using HKDF with SHA-256
draft-ietf-lamps-cms-cek-hkdf-sha256-05

Yes

Deb Cooley
Paul Wouters

No Objection

Erik Kline
Francesca Palombini
Gunter Van de Velde
Jim Guichard
John Scudder
Mahesh Jethanandani
Murray Kucherawy
Orie Steele
Roman Danyliw
Zaheduzzaman Sarker
Éric Vyncke

Note: This ballot was opened for revision 04 and is now closed.

Deb Cooley
Yes
Paul Wouters
Yes
Comment (2024-09-18 for -04) Sent 
Thanks for this update and the (reasonably prompt) response to an attack.

My only comment is for:

   salt = "The Cryptographic Message Syntax"

This isn't what we traditionally call a "salt". Salts usually are random. This seems more like a context or binding string? eg to bind the operation to CMS.
Erik Kline
No Objection
Francesca Palombini
No Objection
Gunter Van de Velde
No Objection
Comment (2024-09-16 for -04) Sent 
# Gunter Van de Velde, RTG AD, comments for draft-ietf-lamps-cms-cek-hkdf-sha256-04

In the references FIPS 180-4 is observed. Is there a reason why there is no permalink provided to the respective resource? Through a search i found the reference rather easy, however do the authors of this document expect users to search by themselves for the referenced resource? https://csrc.nist.gov/pubs/fips/180-4/upd1/final
Jim Guichard
No Objection
John Scudder
No Objection
Mahesh Jethanandani
No Objection
Murray Kucherawy
No Objection
Orie Steele
No Objection
Roman Danyliw
No Objection
Comment (2024-09-16 for -04) Not sent 
Thank you to Stewart Bryant for the GENART review.
Zaheduzzaman Sarker
No Objection
Éric Vyncke
No Objection
Comment (2024-09-16 for -04) Sent 
Thank you for the document, while I am not that deep in cryptography, I have some comments:

# Abstract

The I-D title contains `using HKDF with SHA-256` should the abstract also mention this and expand HKDF ?

# Section 2

Which is the unit of "len()", I guess bits but let's be clear.

# Only SHA-256 ?

I was wondering why there is no provision for other algorithms than SHA-256 until I read the "security considerations" section with `One KDF algorithm was selected to avoid the need for negotiation.` This previous sentence is valid and smart but should actually be in the introduction rather than in the security.