I have been doing a fair bit of Identity MetaSystem and CardSpace conversations with many of our enterprise customers lately, and while most people are keen to understand the various business scenarios enabled by this powerful architecture, there is always one security specialist in the audience that wants to know more about just how exactly do the security tokens get passed around, and how does the WS-Trust protocol work behind the scenes in order to ensure security, integrity and confidentiality.
While I love drawing up diagrams describing how messages are signed and encrypted and detailing ownerships of various key on a whiteboard, this conversation inevitably gets me sidetracked for an hour, and leaving the rest of the audience (who may not necessaily be so security-details inclined) a bit behind.
A big note is that you shouldn't frown upon the seemingly complexity of WS-Trust, as the user of CardSpace, you don't ever need to know about the under the hood workings of the WS-Trust protocol to take advantage of the technology. However, if you are that way inclined, you would only ever need to go through this understanding once, in order to gain confidence about how this identity management solution will maintain integrity and confidentiality while enabling interesting business scenarios in Web 2.0.
And to Vittorio - love your notation!