I am the ART directorate reviewer for this document. The comments are mainly for the ADs, but others should treat them like any other last-call comments.

I did not shell at the 187 CHF for the SWID specification.  Kudo's to the authors for doing something that seems (claims?) to be compatible, in an infoset way, and is also much more compact.  A couple of minor things.

In 2.3, why are there three separate bools for corpus/patch/supplemental as opposed to a single enumeration? Can the tag-id be a digest of the source file?
What are the implications of it not being unique? That should be listed in the security considerations.

The expert review guidelines seem like "specification required" with some additional requirements on things like what the specification must say.

I was surprised to see Carsten's full contact information given, as if he were a co-author.