major: "I am strongly against any suggestion that the single-key confidentiality and integrity advantages should be used to calculate rekeying limits [...]"
emphasized that multi-key limits should be used when rekeying, noted that offline work is about time not memory
minor: "I think it would be good if bounds for OCB could be included."
(no change)
minor: "I think this needs to be expanded to explain that there might be a huge number of keys shared between two parties."
added note on multiple sessions between parties and many keys within sessions in introduction
minor: "Would be good if this also mentioned key compromise."
Addressing comments by John Mattsson on CFRG mailing (10 Nov 2023) as follows: