6.6 Resource access authorization
Pre-authorization for resources is normally set when the client registers with the host as described in 6.9. If the security policy allows, authorization MAY occur immediately after authentication based on implicit rules to allow a request to complete. This is to allow unregistered access to resources based on security policy. If the client uses a self-signed certificate, pre-authorization using the SFDI of the self-signed certificate MUST have taken place and authorization SHALL be granted if the SFDI of the presented self- signed certificate matches the SFDI presented as part of registration.