Reviewer: Charlie Kaufman
Review result: Has nits

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document assigns three new code points in the IANA registry for COSE header parameters. While I am somewhat appalled that doing so requires a 27 page RFC that no one will ever read, that is not the fault of the authors who - to their credit - include example syntax that would be helpful to anyone who stumbled upon them. This document only defines the code points. The syntax for the data included at those code points is contained in other documents.

Possible issue for the authors to review and decide whether I'm just confused:

Section 4.2 says "This document establishes a registry of verifiable data structure algorithms, with the following initial contents:" but IANA considerations only requests the registration of three new code points rather than also requesting the creation of a new registry. I don't understand why.

I did not examine the document carefully for typos, but I did notice these:

Section 1, line 3: "proves" should be "proofs"

Section 2, under TBD_0: "one ore more" should be "one or more"

"Merkle" is sometimes capitalized and sometimes not ("merkle"). This is probably not intended.

      —Charlie