Given our discussion in the 2016-11-18 telecon about softening resource owner-related things in RReg, properly these should be OPTIONAL (since OAuth and OIDC don't involve "setting policies", and OAuth sometimes doesn't involve resource owners at all, only clients acting on their own behalf).

Should the Core spec profile RReg to make these properties REQUIRED vs. OPTIONAL?