DDSSEC_ — Plugins per-process or per-participant ?

The full §8 doesn't specify if the DDS middleware shall instantiate the plugins once per-process or once per-local-Participant.
The plugins operations suggest 1 plugin per-process (see Autentication operations where the local Participant's identity is always passed as a parameter. Or the Access Control operations where the local Participant's permissions_handle is always passed as a parameter.)

But in §9.4 it is specified that "Each DomainParticipant has an associated instance of the DDS:Access:PKI-Signed-XMLPermissions plugin". It is not specified for the other builtin plugins.

The §8.1 should clearly states that the decision to instantiate 1 plugin per-process or 1 plugin per-participant is implementation dependant. And the §9.4 should not specify that "each DomainParticipant has an associated instance of the DDS:Access:PKI-Signed-XMLPermissions plugin", as it is possible to implement this plugin with 1 instance per-process only.

Specify plugins are instantiated per DomainParticipant

In section 8.1 add a subsection that specified plugins are instantiated per DomainParticipant. Also state that the way the plugins are configured and bound to the DomainParticipant is implementation-specific

Clarify that validate_local_identity, validate_local_permissions, and check_create_participant are called prior to the DomainParticipant being enabled.