From 4db8e66cfa22a17efcf6873f4ac2514fd1cb2f6e Mon Sep 17 00:00:00 2001
From: Randy Bush <randy@psg.com>
Date: Tue, 17 Oct 2023 12:53:48 -0700
Subject: [PATCH] per ggm, unique one time EE cert, no new key needed

---
 draft-ietf-opsawg-9092-update.xml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/draft-ietf-opsawg-9092-update.xml b/draft-ietf-opsawg-9092-update.xml
index 67d0708..8e7e2b8 100644
--- a/draft-ietf-opsawg-9092-update.xml
+++ b/draft-ietf-opsawg-9092-update.xml
@@ -518,11 +518,10 @@
       </t>
 
       <t>
-	The CA MUST sign only one geofeed with a particular generated
-	private key and MUST generate a new key pair for each new
-	version of the geofeed.  An associated EE certificate used in
-	this fashion is termed a "one-time- use" EE certificate (see
-	Section 3 of <xref target="RFC6487"/>).
+	The CA MUST generate a new EE certificate for each new signing
+	of the geofeed file.  An associated EE certificate used in this
+	fashion is termed a "one-time- use" EE certificate (see Section
+	3 of <xref target="RFC6487"/>).
       </t>
 
       <t>