Clarify encryption key lifetime and intention

index.html

@@ -349,6 +349,12 @@ <h2>
           with a <a>service worker registration</a> and a <a>service worker registration</a> has at
           most one <a>push subscription</a>.
         </p>
+        <p>
+          A <a>push subscription</a> has internal slots for a P-256 <a>ECDH</a> key pair and an
+          authentication secret in accordance with [[!WEBPUSH-ENCRYPTION]]. These slots MUST be
+          populated when creating the <a>push subscription</a>, and MUST remain constant for its
+          lifetime.
+        </p>
         <p>
           When a <a>push subscription</a> is <dfn data-lt=
           "deactivated|deactivate">deactivated</dfn>, both the <a>user agent</a> and the <a>push
@@ -845,7 +851,9 @@ <h2>
         </li>
       </ol>
       <p>
-        Keys named <code><a>p256dh</a></code> and <code><a>auth</a></code> MUST be supported.
+        Keys named <code><a>p256dh</a></code> and <code><a>auth</a></code> MUST be supported, and
+        their values MUST correspond to those necessary for the user agent to decrypt received push
+        messages in accordance with [[!WEBPUSH-ENCRYPTION]].
       </p>
       <p>
         The <code><dfn id=