Mandatory or optional entry in the KeyStore for the encrypted files ?

[DanGhita]

It is not clear for me if an encrypted file must have an entry in the KeyStore, or this is just optional. For example, in section 3.3 it is written:

" Each SHOULD have an entry in the Key Store. If an OPC part is not referenced by any Encrypted File relationship it SHOULD be considered as not encrypted and the Key Store SHOULD NOT contain any entry associated with that part."

However, it seems to me that, without no entry in the KeyStore, an encrypted file could not be decrypted by consumers.
Furthermore, next evolution of the Security Specification would probably require adding authentication (asymmetric digital signature). In that case, the KeyStore element should be definitely part of the signature. Having mandatory entries for encrypted files in the KeyStore and authenticating the KeyStore will bring more security robustness to all sensitive data (encrypted files) within the package.

[jordig100]

This was in purpose not having it as a MUST. Consider the workflow where the ContentKey is provided by a DRM system, and retrieve it externally to the 3MF. In that case you might not want to specify it in the 3MF, since it would be targeted to a specific consumer.