1). I don't know how permissions and properties are implemented at the lower level and if they are logically AND. But here is what our document says about permissions:
How to Write WICED Smart Applications on page 11:
"The permission parameter specifies whether the characteristic value can be read and/or written by the client
and identifies the security level required for the read, write, notify, and indicate procedures. These are
permissions set up by this application (Table 2 on page 12 lists the defined permission bits)"
So yes if you want a read property, also give read permissions. Now depending on which permission you give, it will define the security level required. The Table 2 on page 12 has the definitions of the permissions.
if I enabled the read property and the read(authenticated) permission, does that allow reading only over an encrypted link? yes.
2). This depends on what kind of pairing has been established.
I think our implementation of the stack allows three types of pairing: Just Works, Passkey, Out of Box(OOB)
According to Bluetooth SIG (LE Security | Bluetooth Development Portal), "MITM protection is obtained by using the passkey entry pairing method or may be obtained using the out of band pairing method."
You can refer to hello_client to for passkey and OOB implementations
3). as an example you can do something like this:
CHARACTERISTIC_UUID128 (HDLC_TEST_TEST, HDLC_TEST_TEST_VALUE,
You can try playing around with WICED Bluetooth Designer to create a new GATT DB.
(File->New->WICED Bluetooth Designer)
4). Can you give us the links to the forums you are referring to? Don't know what you are referring to.
Does this help? Let us know.
Thank you for the answer userc_19497. I think it clarifies the situation somewhat for me.
The security document/app note I was asking about in #4 above was mentioned in the following posts ...
mwf_mmfae said -- "A security AppNote was originally due out this quarter, but I'm not sure if that is still the case as this may move to Q4." 
andrew997 said -- "Any updates on the availability of an app note and/or example app demonstrating the RSA capabilities of the BCM20737?"