The WS-Security specification referes to about 5 different methods for referencing security token references:
They are as follows:

DirectReferences - currently implemented
Key Identifies - (this would correspond to the x509 identifier hash)
Key Names
Embedded References
KeyInfo - from xml security

Care should be taken in deciding which of these we should implement, because the WS-Security profile draft outlaws most of them. Key identifies are probably the only other style we should support. Unfortunately the WS-Security spec doesnt require any of these, so we may have to determine this based off of interoperability testing.