Note: I didn’t compile the ASN.1 (but it visually looks okay) and I didn’t run the matching algorithms in s3.4.*.

This I-D looks ready to go from my perspective. I only uncovered the following nits:

1. s1: Expand IAN. It’s expanded in the abstract, but shuold be done in s1 as well.

2. s3: s/a EUI-/an EU- (x2)

3. s3.3: s/Relying/relying

4. s3.4.2: s/wasn’t/was not

5. s3.4.2: s/your/the (x2)

6. s3.4.2: s/you/the

7. s3.4.2: s/aren’t/are not

8. s3.4.2: s/can’t/can not

9. s3.4.2.3: s/we’re/we are

10. s4: probably worth saying the security considerations of RFC 5280 apply.