I am the assigned IoT-Directorate reviewer for this draft.

Review result: Almost ready.

Some minor comments:

* Section 4: Perhaps expand what is CoRIM and add a reference to https://datatracker.ietf.org/doc/html/draft-ietf-rats-corim-04

* Section 5 and 5.1: It would be helpful for readers if a short use-case explaining when CMW would be transported in CRLs could be provided. While I can guess why a CMW would be in a CSR, I could not immediately understand when a CMW would be part of a CRL. Similarly, it would be helpful to explain where and how the ASN.1 module will be used. I assume it is relevant for cases where a certificate containing a CMW extension is passed around?

* Section 5.2: I wonder about the consequences of having two different CMW specifications: one by the Trusted Computing Group (TCG) and the other in this draft. I downloaded the TCG specification and found a reference to this draft. Would it be possible for future versions of the TCG specification to reuse this draft rather than creating a subset? Also, this draft states that the "CMW extension" "MUST NOT be marked critical," whereas the TCG specification states that the "tcg-dice-conceptual-message-wrapper extension criticality flag SHOULD be marked critical." In summary, I wonder if these specifications can somehow be synchronized.

Section 7: Please expand UCCS on first use: unprotected CWT Claims Sets (UCCS).

Note: I haven't verified the CDDL, CBOR, and JSON for correctness via tooling, but they looked fine while reading.