Normatively require Attackermodel

The current text does not require Attackermodel document. I think this is not right. We should make it so that there is a requirement that references the attackermodel document.

One way of doing it is to (while it is a bit weird to read):

Make

5.1. Introduction

The FAPI 2.0 Security Profile is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that aims to reach the security goals laid out in the Attacker Model [attackermodel].

into

5.1. Introduction

The FAPI 2.0 Security Profile is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that aims to reach shall fulfill the security goals laid out in the Attacker Model [attackermodel].

In addition, creating a terms and definition section in the attackermodel document and defining the following, and including them in clause 3 of this document, would be a good idea.

• A1 - Web Attacker
• A1a - Web Attacker participating as AS
• A2 - Network attacker
• A3a - Attacker at the authorization endpoint with Read Authorization Request capability
• A5 - Attacker at the token endpoint with Read and Tamper with Token Requests and Responses capability
• A7 - Attackers at the Resource Server with Read Resource Requests capability

‌