The current key reuse sections merely does NOT RECOMMEND reusing old key material, citing the domain separators added as a defense against out of context (signature stripping) attacks.
However, a domain separator MUST be chosen from a prefix-free set, and in this case we are trying to domain separate against the classical use, which does not include a domain separator at all, i.e. has the empty string as a domain prefix.
The empty string is a prefix of every string, therefore there is no secure way of domain separating the hybrid.
The only alternative I see to a MUST NOT on key reuse is including a domain separator for the classical use case as well, but this will be a breaking change for old clients, and if you introduce a breaking change, you might as well just use a new key instead.
Therefore, I would like us to step up the language from RECOMMEND to MUST.
The current key reuse sections merely does NOT RECOMMEND reusing old key material, citing the domain separators added as a defense against out of context (signature stripping) attacks.
However, a domain separator MUST be chosen from a prefix-free set, and in this case we are trying to domain separate against the classical use, which does not include a domain separator at all, i.e. has the empty string as a domain prefix.
The empty string is a prefix of every string, therefore there is no secure way of domain separating the hybrid.
The only alternative I see to a MUST NOT on key reuse is including a domain separator for the classical use case as well, but this will be a breaking change for old clients, and if you introduce a breaking change, you might as well just use a new key instead.
Therefore, I would like us to step up the language from RECOMMEND to MUST.