For an overview of the Secure Object Format, look here.
System requirements are discussed here.
Design decisions are discussed here.
The Secure Object Format is basically a serialized parse tree. The serialization is relatively well defined here.
The parse tree itself is far more up in the air. Here are some notes I've accumulated over time. The current version is in the grammar.nostack file.