Document WG security review requirements for protocols

[timcappalli]

"MUST have undergone security review by the Federated Identity Working Group."

@bvandersloot-mozilla: Do we want to define the criteria by which this group would review those?

One comment from the registry criteria PR is that the spec needs to define the criteria for the security review. Where in the spec this should go is TBD and we should discuss here...