It occurs to me, reviewing the updates, that there are a number of places in the spec where RFC 2119 terms are being used even though it's not clear "who" needs to follow these instructions or how. It is good practice to identify classes of conformance (here, user agents, and CDM), and to write normative statements using an affirmative form, see A Method for Writing Testable Conformance Requirements.
Originally raised by @tidoust in #530: