Hi! I've reviewed this I-D a couple of times along the way. This time I just looked at the diffs between -20 and -22.

tl;dr: It's ready.

The security related changes this time around were pretty minor:

1. Downgrading TLS to informative. Sounds inflammatory doesn't it, but it's not ;) Something has to be implemented under the API, but it doesn't have to be TLS.

2. Dropped zeroRttMsgMaxLen read-only property. Turns out it wasn't used and didn't offer much utility anyway:
https://github.com/ietf-tapswg/api-drafts/pull/1173