Identify the depth of role definitions #16
Description
Adding signatures, as a security capability leads into the conversation of roles.
How much role definition should we have in the spec, or should we identify opportunities for roles to be used, but not defined specific roles?
An example of a concern:
The distribution-spec doesn't define roles or authorization. Some registries have placed user/org partitions in the root namespace. This created challenges for registries to provide _catalog results on the root, as the root applies to all users/orgs.
The goal is to account for how roles would be used, to assure they could be applied to elements of the APIs and their capabilities.