* 3.iii - embedding an EPI in a X509 cert sounds good, but not sure how that would make migration easier: don't you have to move the private key then with the resource?
Moving the private key wouldn't be necessary. The idea is that, through the trust hierarchy (out of scope), a client can trust that the public key bound to an EPI via the certificate can be used to securely communicate with (and thus authenticate) that resource. In fact, this trust mechnism allows for the client to trust (if the issuer is trusted) *any* key bound to that EPI. Therefore, when the resource migrates (or the certificate expires, is compromised, etc.), an intermediate CA can just issue a new certificate/keypair for the resource, and any EPR rebinding mechanisms will provide clients with the newly updated EPR containing the appropriate public key (and new address, etc.). -Duane