I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is the document is ready. 

I do agree with the Genart review by Mallory Knodel that the security considerations could be more readable, especially since more of the security considerations are by reference to other documents.

I do have a question on the nonces:

Section 3.1.1 Says the nonce can be used more than once. This seems counterintuitive. Are there any recommended bounds on nonce reuse and how would selecting these bounds affect the security properties? This seems more relevant in the TPM 1.2 case as the clock values may be signed in the TPM 2 case, but I am unsure if this is the case.