Proposal clarify that anonymous has no credential and is never authenticated and refer to "AuthenticatedUser Role" as the "Authenticated Role" and make it clear it is not always a User.

need to remove the term 'anonymous user' and use 'anonymous role'.

Updated to 4.9.1 to clarify that anonymous means no authentication at the user or application level.

Need to update special rules for Anonymous and AuthenticatedUser based on the new text in Part 3.

The special rules are related to the capability to change the identity mapping.
It makes no sense to allow changed to the identity mapping for Role Anonymous.
Need to discuss if changes to Role AuthenticatedUser makes sense.

Also need to describe the case where a well-known role is removed from the RoleSet Object.

4.3 RoleSet
Added TrustedApplication Role that is new in Part 3

Added clarifications:
The Anonymous Role is the default Role which is always assigned to all Sessions.
The default Identities for the TrustedApplication Role should be an identity with the criteriaType IdentityCriteriaType.TrustedApplication.
A Server shall not allow changes to the Roles Anonymous, AuthenticatedUser and TrustedApplication.
A Server shall not allow the deletion of the well-known Roles Anonymous and AuthenticatedUser TrustedApplication.

4.4.4 IdentityCriteriaType
Added
TrustedApplication
The rule specifies any trusted application that has been authenticated with a trusted ApplicationInstance Certificate (see OPC 10000-4).

4.4.3 IdentityMappingRuleType
Added
If the criteriaType is TrustedApplication, the criteria is a null or empty string which includes any Client application with a trusted ApplicationInstance Certificate. The Client Certificate shall be trusted by the Server and the Session shall use at least a signed communication channel.

Agreed to changes edited in Virtual F2F.