I have been assigned to review this document on behalf of the OPS DIR. 

This draft defines a key establishment protocol for the messaging application to protect group chat.
Overall, the document is full of security technical details.

Major Issue：
1. Introduction
Perhaps highlighting the relationship between MLS Architecture in the introduction section can help to understand? I find the description of authentication and delivery service in MLS Architecture really helps.

Nits:
4.2.  Example Protocol Execution
It's a more readable if the figure can be referenced in the text. E.g. figure 2 and figure 3, it is helpful to show which part of text corresponds to the figures.

6.1.  Ciphersuites
AEAD, ECDSA: Please expand on first use.

7.  Message Framing
   enum {
       reserved(0),
       mls10(1),
       (255)
   } ProtocolVersion;
Current protocol is defined as MLS 1.0, but maybe it's possible to explicitly describe the current protocol version and the negotiation mechanism?