Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is READY with nits. I skimmed through the draft and agree with the author's statement in the first paragraph of the Security Considerations section: This document presents a content rules language for expressing CBOR data structures. As such, it does not bring any security issues on itself, although specification of protocols that use CBOR naturally need security analysis when defined. (As a very minor nit, I'd suggest using "analyses" rather than "analysis".) Nit 1: The authors have made a good effort at identifying some of the topics that may be considered in a security considerations section of specifications that use protocols using CDDL to define CBOR structures. However, I would recommend that those bullet points be used to supplement a normative reference to RFC 3552 "Security Considerations Guidelines". Perhaps adding the following between the first and second paragraphs: Guidelines for writing security considerations are defined in Security Considerations Guidelines [RFC 3552] (BCP 72). Implementers using CDDL to define CBOR structures in protocols must follow those guidelines. Then change the start of the second paragraph from "Topics that may be..." to "Additional topics that may be..." Nit 2: I am not very familiar with all of this, but it seems to me that RFC 8152, "CBOR Object Signing and Encryption (COSE)" should be a normative reference rather than an informative reference, and some mention should be made of it in the Security Considerations section. Reference is made in RFC 8152 to CDDL (4th paragraph in Section 1.3): As well as the prose description, a version of a CBOR grammar is presented in CDDL. Since CDDL has not been published in an RFC, this grammar may not work with the final version of CDDL. The CDDL grammar is informational; the prose description is normative. I may be off base here, but it just seems that since 8152 has been published as a Standards Track document, then this draft should normatively reference it and any subsequent updates to 8152 should normatively reference the Standards Track RFC issuing from this draft. Best regards, Chris