Inconsistent normative language regarding key reuse

[danvangeest]

Section 4.1 says:

In order to ensure fresh keys, the key generation functions MUST be
executed for both component algorithms. Compliant parties MUST NOT
use or import component keys that are used in other contexts,
combinations, or by themselves as keys for standalone algorithm use.

Also I suggest "use, import, or export component keys..."

Section 11.2 says:

Therefore, it is
RECOMMENDED to avoid key reuse and always generate fresh component
keys for a new composite. It is also RECOMMENDED that CAs performing
revocation checks on a composite key should also check both component
keys independently.

The normative language needs to be consistent; these should either be MUST/REQUIRED, or SHOULD/RECOMMENDED.

[johngray-dev]

I agree. We will make the language consistent. We will change it to MUST/REQUIRED.