The security directorate tries to review all IETF documents prior to IESG review. This should be considered as input to the security AD's, or otherwise general Last Call comments. I apologize for the lateness of this review. Hopefully since a new draft is expected, this might be useful anyway. This is READY (reasonable folks may disagree of course). There are no nits that aren't already covered. I have some suggestions: - I wish the terminology were in alphabetical order. - The requirements list should say "each is covered in more detail in the following subsections" or similar. The topic, updating firmware on IoT devices, is very important. The document defines requirements, explains why, and then describes an architecture that could meet those requirements. Examples cover a variety of instantiations. I think this is the first time I have seen a ladder diagram for processing steps, as opposed to protocol interchanges. This is a very well-written document.