Today for the group meeting, I did an informative presentation on the $subject. The slides are here. It uses existing materials from several public available presentations. When I was preparing this talk, some of the related issues from applied cryptography perspective came to my mind. (It is possible some of these issues has already been addressed and I may not be aware of it. Please do let me know if you have any pointers)
If we use constant values as attributes, how do we efficiently revoke a key (i.e. ideally without affecting other users while preventing access to the revoked user)?
Can we say that IND-CA-CCA provides stronger security than IND-CCA?
There is a huge trust placed on the PKG (Private Key Generator) server. How do we increase the trust? (one possibility is to use a threshold scheme to make a collective decision)
How can we be sure that user authentication to PKG is perfect? (It gets 100% right that no one can impersonate others) The security of the whole system depends on how strong the authentication process is.
We need to send attributes in the clear. This may allow malicious parties to infer information about the message being sent. Can we come up with a scheme that hides even the attributes? (We don't want to increase the load on the recipient)