Add Security Consideration to avoid key reuse

[msporny]

From the PING's review (w3cping/privacy-request#120):

Security section should make mention of key reuse considerations and the impact of reusing a key for multiple algorithms. While some combinations of algorithms have proofs that it's sufficiently secure to reuse keys for various algorithms many do not. This spec should discourage the reuse of keys whenever possible to prevent cryptography attacks that could reveal the private key.

/cc @kdenhartog

[msporny]

We should also reference this paper in the guidance: https://eprint.iacr.org/2021/509

[msporny]

Hrm, turns out that we do provide this guidance in the ECDSA Cryptosuite, so perhaps we should move that guidance to the main Data Integrity spec: https://www.w3.org/TR/2023/WD-vc-di-ecdsa-20230817/#key-management

[Wind4Greg]

I added that section, based on NIST and general recommendations. It is very general. So moving it to Data Integrity sounds good and avoids repetition in EdDSA, and future specs.

[kdenhartog]

I'd even suggest pushing up to the vc-data-model spec. While this issue is more commonly encountered in data-integrity formats from did:key it's an issue that re-applies across the entire space.

[msporny]

Agreed, this belongs in the vc-data-model as a general consideration regarding key re-use in any securing mechanism.

[msporny]

PR #1323 has been raised to address this issue. This issue will be closed once PR #1323 has been merged.

[msporny]

PR #1323 has been merged, closing.