[wss] ISSUE: What is a "Security Token"

[Jerry Schwarz <jerry.schwarz@oracle.com>]

This is a resend of my previous note with a changed subject to reflect
the new protocol for raising issues. The content is unchanged.

-------------
This note discusses the use of the phrase "Security Token"
within the core document. I have found it confusing and propose
eliminating it.

The current draft (and I believe all earlier ones) defines "Security
Token" as[209]

   "A security token represents a collection of one or
more claims".

And defines a claim as [188]

   "A claim is a declaration made by an
entity"

This language is confusing within the context of signatures. 
Section 8 [741] says "An XML Digital Signature can be used to bind a
claim ...." which suggests, although it doesn't come out and say it,
that the signature is not itself a claim

Consider this in the context of example 2.4 [274] which contains a
<wsse:UserName> element and a signature.  The <UserName>
element does not contain a digest.  The commentary says [274]
"the username token containing a claimed security
identity".  But an identity is not a declaration.  The
claim in the example is carried by the signature.  It is something
like

The entity identified in the <UserName> element has made a request for the stock information contained in the SOAP body.

I believe that the important concept is direct subelement of a
<Security> element and that the semantics of that element should
not be assumed to be a security token.  I propose to call this a
"security information element", or S-element for short and to
replace "security token" with the phrase throughout the
document. 

If this is agreed to I'll propose detailed edits.