[spec] add statement about responses with PII MUST be encrypted

[timcappalli]

from #109, specifically #109 (comment)

Add something along the lines of:

implementations which pass PII in the response MUST encrypt that information to the verifier in some fashion"

[marcoscaceres]

Can we put that if some input is present the output must be encrypted? Then we can force that algorithmically (and maybe test for it).

[Sakurann]

I don't disagree with a sentiment in a proposed statement, but is a MUST in it really enforceable at the browser API level (somewhat elaborating on #109 (comment))? In reality, wouldn't it be up to a wallet to decide if the encryption is required and reject the request without a public key for encryption, when the wallet requires encryption?

[timcappalli]

To Do: add requirement to registry criteria (#157)

[timcappalli]

Added in 38f0a01