MAY support [WSTrust] in general, but MUST support if deploying the particular case of accessing external Credential Validation Service, per [ChadwickSu09]
We have not validated whether it is possible to implement TAS3 architecture using WS-Trust. Clearly WS-Trust can be used as a token exchange protocol, but for this to be interoperable heavy profiling is needed. Users and advocates of WS-Trust should undertake to write such profile.