[wss] ISSUE: What elements can appear directly in an STR?

[Jerry Schwarz <jerry.schwarz@oracle.com>]

At the last conf call I made a motion that passed to allow "security
tokens" to appear immediately as a subelement of a
<SecurityTokenReference?.  I originally had wanted to say that
anything that might appear as a top level subelement of a
<Security> element should be allowed to appear immediately inside
an STR, but there were several objections to that and I accepted a change
to "security token".  It appeared that the objections were
because they were trying to exclude.

I have no objections to exclusions, but the term "security
token" is not well defined so we are left with an ambiguous
specification.  I don't have strong feelings about what should be
excluded, or about what to call the list of possible elements. 
"security token" would be fine with me if it was defined
unambiguously in terms of XML.  It is not.

I propose that the phrase "security token" in the definition of
what elements can appear immediately in an STR be replaced by
"security related element" and that "security related
element" be defined as

"Any element that might appear as a subelement of <Security> with the exception of ds:Signature, ...." [The ... should be filled in by those who wanted to exclude things. Except for Signature I'm not sure what was intended to be excluded).

If we do that, then we should go through the document and determine
whether there are any other uses of "security token" that
should be replaced by "security related element". I propose the
introduction of a new phrase rather than a revision of the definition of
"security token" because apparently "security token"
has an accepted meaning in various communities and an using it in a
different way in the WSS specification would cause confusion in those
communities.