Move normative text from security considerations inline in the doc

[aaronpk]

Security considerations should be reserved for implementation details

[ioggstream]

Moreover, the Summary of recommendations should not duplicate mandatory text. I'd replace it with a table referencing the actual spec sections.