Use URI references for Security Requirements in 3.2 #3776
Description
Resolving component names used in referenced (as opposed to entry) documents is ambiguous, particularly in 3.1 where we advertise the ability to have a components-only document to use as a shared component library. Historically, component names were resolved from the entry document, as reference targets were extracted from the document in which they were found without regard for the contents of the rest of the document.
In 3.1, whole-document parsing is required to properly implement the Schema Object, and there is a reasonable intuition that component names should be resolved within the document in which they appear. This is at odds with the historical behavior, and one could argue that for Security Schemes in particular, it makes sense to treat them as part of the "deployment" aspect of things, which is arguably more relevant to the entry document.
For the Discriminator Object, the ambiguity can avoided by using the mapping keyword with unambiguous URI-references (meaning URI-references that are not syntactically valid as component names). There is no similar workaround for the Security Requirement Object.
Adding a URI-reference mechanism for Security Requirements, whether by allowing $ref somewhere, or just allowing URI-references as keys in place of the current component names, will make it possible to write unambiguous security requirements.