Interaction between Security Considerations, Compatibility Profiles, and MTI requirements is unclear

Ángel wrote, about crypto-refresh-02:

I feel the text added at 15. Security Considerations still needs some revision. Maybe split part of it to a different section. There are too many things there, and it seems hard to grasp everything it mixes.

As a concrete suggestion, I would recommend adding Compatibility Profiles as section 15 instead of 16. Security Considerations (SC) refers to Compatibility Profiles (CP) and Compatibility Profiles refers to Security Considerations, but it seems it would be easier to read Compatibility Profiles first (assuming a linear reading of the rfc). Reference to (SC) is easier to skip (there will be some algorithm choices at that section), whereas the reference to CP is murkier:

Requirement levels indicated elsewhere in this document lead to the following combinations of algorithms in the OpenPGP profile: MUST implement P-256 / SHA2-256 / AES-128 / SHOULD implement ...

when the reader hasn't been told about OpenPGP profiles and, in fact, some of those algorithms it shows as a MUST are optional at 9.1 / 9.3

We need more clarity about the interaction between these sections.