Proposal for Issue 78

["Hal Lockhart" <hlockhar@bea.com>]

I propose replacing section 8 with:

-----
For a variety of reasons it may be necessary to reference a Security
Context Token. These references can be broken into two general
categories: references from within the <Security> element, generally
used to indicate the key used in a signature or encryption operation and
references from other parts of the SOAP envelope, for example to specify
a token to be used in some specified way. References within the
<Security> element can further be divided into reference to an SCT found
within the message and and referenes to a SCT not present in the
message.

The Security Context Token does not support references to it using key
identifiers or key names.  All references MUST either use an ID (to a
wsu:Id attribute) or a <wsse:Reference> to the <wsc:Identifier> element.



{Question: when the <wsc:Identifier> element value is used, is it
necessary to also specify the <wsc:Instance> element value, if present
to disambiguate the key?}


References using an ID are message-specific. References using the
<wsc:Identifier> element value are message independant.

When an SCT is referenced from outside the <Security> element, a message
independant referencing mechanisms MUST be used, to enable a cleanly
layered processing model.

When an SCT is referenced from within the <Security> element, but the
SCT is not present in the message, (presumably because it was
transmitted in a previous message) a message independant referencing
mechanism MUST be used.

When the SCT is referenced from within the <Security> element and is
present in the message, a message-specific referencing mechanism MAY be
used.


[examples]
----

Note the second paragraph is copied from lines 144-146. I suggest
deleting these.

Hal