Update CAEP & RISC Events and SSF Docs with txn claim

[iamseanodentity]

The txn claim is called out as optional on RFC 8417 but is not referenced on CAEP / RISC Events or in the general SSF documentation. With the new CAEP Event being introduced, session established, it feels like introducing txn now is the right time before v1 is established. This speaks to how a transmitter(SST) and receiver(SSR) can co-op using a standard JWT claim.

SST -> session revoked CAEP Event -> SSR with txn: 123. The SSR that received the SET can then send back, acting as a SST, a session revoked event to the Transmitter which is now acting as a SSR. This is a good example of auditing and accounting practices. This also helps inform a SST that the signals it is emititng to the SSR's are still accurate and not subjective noise to a SSR (i.e. the underlying data powering the SST is valid and accurate...which is important).

Would like to update the open-id-caep-spec (Sections 2 and 3), open-id-risc-spec (Sections 2 and 3) and open-id-sharedsignals-framework-1.0 (Section 5) md files. In the events I think we would want to call out the specifics to use the txn claim and not have it optional for all events.

[FragLegs]

For clarity's sake, the proposal here is to:

1. Update the SSF spec to make txn a required top-level claim of the SET for all SSF events (top-level meaning it nests at the same level as iss and aud in the SET json).
2. Update the SSF spec to include txn in any non-normative examples of events.
3. Update the CAEP and RISC specs to include txn in the non-normative examples.

Is that correct?

[iamseanodentity]

PR submitted