AuthenticationFailed error response is inconsistent with HTTP spec

[alexdutton]

The SWORD spec says a 403 Forbidden response should be used in the scenario "The request supplied invalid credentials, or no credentials, when the server was expecting to authenticate the request.".

Invalid or no credentials should result in a 401 Unauthorized.

The spec is missing an error response for scenarios where the request is forbidden, e.g. if one is attempting to turn a completed deposit into an in-progress deposit, or otherwise modify a completed deposit.

[richard-jones]

• add a 401 Error Type to 9.8.1 with suitable description
• modify 403 in 9.8.1 to only be returned if credentials were supplied and were wrong, and also allow it to be returned if there is a different reason the operation is forbidden
• add a protocol requirement to return 401 when no credentials are supplied but are required
• add some details about 401 vs 403 in section 10
• update 7.1 in line with new meanings for these errors
• add new error types to json-ld spec