I think this is probably ready but wanted to just check one thing. The draft seems 
overly prescriptive in some places. I think that's ok though as it's the CBOR spec 
that'd affect interop so is where such issues should be addressed. Is that right? 
If so, that's fine. If however, the MUSTs in this draft are supposed to be 
slavishly followed then I think a non-trivial number of then are wrong. Just 
to pick out a couple of examples:

4.3.1: "Devices MUST reject manifests with sequence numbers smaller than any
onboard sequence number." I'm not sure it's ok to rule out rollback without 
a new manifest in all cases. Is there evidence that that is ok?

4.3.6: Why MUST that location be explicit in the manifest? It could be an
installation parameter in some cases, e.g. use SD card if present, else use
on-board flash, and all might depend on space available and boot order
settings.

Note that even though I disagree with some of those MUSTs, the
draft would still be fine and useful so long as those aren't taken too
seriously:-)

a couple of nits:

abstract: s/must be present/can be present/ ?
3.20: Expand XIP on 1st use