Note: This ballot was opened for revision 05 and is now closed.
I tend to agree with the last call commenters about the likely leakiness of this despite all the good normative language in this document, but don't see a justification not to publish this given that we published RFC 7255.
I agree with Adam's request for additional text in the security considerations section. Thanks for addressing the SecDir review comments: https://mailarchive.ietf.org/arch/msg/secdir/lZ_SwtRm1tBvuB7UPF-awcrsv60
I think the security section would be improved by adding a blanket warning about not accidentally leaking the MEID in other contexts, such as (and in particular) when application servers subscribe to user registration state using the event package defined in RFC 3680.