Clarify langauge about types of identity management in source track

[adityasaky]

The source track currently says:

There exists an identity management system or some other means of identifying actors. This system may be a federated authentication system (AAD, Google, Okta, GitHub, etc) or custom implementation (gittuf, gpg-signatures on commits, etc). The SCS MUST document how actors are identified for the purposes of attribution.

Should we clarify the text in the table so we aren't distinguishing between "federated" and "custom" implementations? I'm not sure we want to be bucketing specific mechanisms anymore, for what it's worth.

First raised in #1133 (comment)

[zachariahcox]

@adityasaky that's fine with me! I think this wording was there to describe the wide range of options available to implementers more than to be a complete list.

[adityasaky]

Addressed in #1265