Paul, two points. For me to be happy, your specification must mandate that xmldsig be used whenever encryption is used.
As a consequence of this and your decision not to support MACs, then in order to encrypt a document, you must sign it. In addition, in order to accept this encrypted document, the recipient must be able to verify your signature. Please confirm with the working group that these requirements are acceptable. In particular this forbids the case where I submit an entry encrypted to some third party who I don't share a PKI with.
