I have reviewed this document as part of the Ops area directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Ops area directors.
Document editors and WG chairs should treat these comments just like any other last-call comments.

The document includes a comprehensive list of claims (e.g., hardware model, version, software name/version, location, uptime, boot count, etc.)​​. This extensive scope could lead to implementation challenges, especially for constrained devices with limited resources. Defining and managing such a wide range of claims across various device types and manufacturers may be overly complex.

Is it possible to prioritize and reduce the number of mandatory claims to those most critical for attestation? Optional claims can be defined for more specific use cases to reduce the burden on constrained devices.

It would be useful if the document provides detailed guidelines and best practices for implementing privacy protections, including minimizing the exposure of sensitive claims and ensuring that privacy considerations are integrated into the design from the outset.

Best regards, Linda Dunbar