I have reviewed this document as part of the Ops area directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Ops area directors.
Document editors and WG chairs should treat these comments just like any other last-call comments.

Summary: the document illustrates using the CBOR Web Token (CWT) or JSON Web Token (JWT) as the Entity Attestation Token for various entities, such as devices, hardware components, software modules, etc.  

One issue I don't see is how to extend to the entities that are not illustrated in the document? Like future "Foo" with a expiration date? 
Does it mean that IANA needs to keep track of all those entity names? Is it really necessary? Many entities are only valid in a special deployment environment. As long as both parties agree upon the JSON format, why need to bother IANA? 

Thank you very much, 

Linda Dunbar