"In section 5, it may be worth calling out that the encoded CMWCollection is encoded as an OCTET STRING as the extnValue field of this extension. Section 4.2 in RFC5280 makes this point but I’ve seen the outer OCTET STRING left out in a couple of attestation-related contexts. The pseudo code about removing “the ASN.1 OCTET STRING” in Section 3.3. could further this misimpression since there are two OCTET STRING layers wrapping a CBOR value. Maybe add something like: “The DER encoded CMWCollection is the value of the octet string for the extnValue field of the extension”."
Carl's review (https://mailarchive.ietf.org/arch/msg/rats/xY2mwu790UOGnhFAUduGj5ddo3Y/)