The major problem I see is that an implementation needs to add more crypto primitives to support ths curve. And we can expect that 448 will eventually get in widespread use. We already have all primitives but would inhibit the creation of minimal implementations.

I'm reading RFC5297, which says:

SIV can be used as a drop-in replacement for any specification that uses [RFC3394] or [RFC3217], including the aforementioned use. It is a more general purpose solution as it allows for associated data to be specified.

(RFC3394 is the one for AES Wrap)

Is that really required? Should we wait what the conlusion of the WG will be?

I should have explained the context.
No, there is no discussion about this in the WG.

I write this as my memorandum, as the WG charter says something like "Crypto Update". I wonder if use of SIV (instead of AESWRAP) would be more natural, if we were writing the spec today.

In the current specification (of RFC6637), session key encryption with ECDH uses:

• checksum+padding
• AESWRAP using a key generated by KDF

... which seems (for me) complicated and not modern. Well, there is one possibly good point in current spec, where the size of session encryption key can be obfuscated (by longer padding), though.

If we keep RSA/Elgamal in the update of spec, checksum+padding for session key is compatible method, so, AESWRAP might be justified (I mean, makes sense).

I try to see if current libgcrypt has enough features.

Given that the OpenPGP WG practically decided to fork OpenPGP I don't see a reason why we should keep this bug open.