The Gaborone requirements are that a Server should reject an update to /roles if: a) the Update is received over an anonymous connection (e.g. CoAP, as opposed to authenticated CoAPS)

• or - b) the Update contains a public key value that does not match the public key of the currently-authenticated Client

Classic's code appears to conform to these requirements on visual inspection (as of Jan 2020) but Classic still fails the CTT test that would verify this behavior (CT 1.7.4.5). The failure needs to be root-caused, and a fix (possibly simple) applied before OCF can apply these requirements to Fargo and prior Devices (e.g. Classic Devices).