The document is extremely well written ... I didn't find too much to comment on, despite looking pretty closely at the key management and signing aspects.

I just have two nits:

(1) The following paragraph appears twice in the document (looks like just a copy/paste error when moving stuff around):

"Identifying the private key associated with the certificate and
   getting the department that controls the private key (which might be
   stored in a Hardware Security Module (HSM)) to generate the CMS
   signature is left as an exercise for the implementor.  On the other
   hand, verifying the signature has no similar complexity; the
   certificate, which is validated in the public RPKI, contains the
   needed public key."  

(2) Section 6, paragraph 5: is this intended to be a RFC 2119 "MAY"?  If so, capitalize.  If not, avoid the word.