Handling of MAC-based protection: Adaptations not documented and partly surprising

[DDvO]

The changes made by #106 aim at fixing issue #91 - the behavior should be according to RFC 9483 section 4.1.5.

Yet they are

• not documented (for the LightweightCmpRa, I just proposed a respective update)
• incomplete: responses to requests with MAC-based protection must use MAC-based protection with the same credentials
  regardless of what is configured, i.e., this must be done also if reprotect has not been configured.

[ralienpp]

• Make the default compliant with the lightweight profile
• Allow a way to override it via a config flag

Note: the CmpRaComponent always needs this to be passed in explicitly, so only the lightweightCmpRa can have a default.

[Akretsch]

shall be fixed in PR #142 and siemens/LightweightCmpRa#101

[DDvO]

shall be fixed in PR #142 and siemens/LightweightCmpRa#101

For the cmpRaComponent case I still do not see where the changes done in #106 and in #142 are documented.
Also to API users it must be clearly documented how the RA protects responses (or passes them on), based on configuration and default behavior.

[DDvO]

Meanwhile a related preliminary update on https://github.com/siemens/LightweightCmpRa/blob/main/doc/config/README.md has been merged.

Yet note that for the LightweightCmpRa doc a further (small) update is needed,
namely the new new sentence ending in:

(regardless of the configuration related to reprotection or output credentials).

needs the condition mentioned that this is only if the new config option EnforceReprotectMode is not set to true.

[ZMaradics]

Pull request merged to the main: #142

[ZMaradics]

Can be closed