add ADR & clarify namespace reference doc to explain intent of non-ssvc namespaces

[ahouseholder]

Extending from a comment in #703:

(This comment is not a response to the one above it, it's just a separate thought I wanted to capture based on this comment in a related PR #704)

I think our intent with namespaces was to use the namespace to indicate concepts that are defined by some other authority (e.g., the CVSS SIG in this case of CVSS-based decision points, or NCISS in the case of #707, etc.) and where our decision points are just intended to reflect their definitions. In other words, we don't "own" the semantics of those decision points, we're just providing them for convenience to SSVC users.

It probably wouldn't hurt for us to maintain a list of namespaces we recognize in our repository, along with some documentation that basically says you can make up your own namespace for local use.

Originally posted by @ahouseholder in #703

This issue is capturing a follow-up to #703 & #749, but is otherwise unrelated to #752.

We need to write down the explanation above as part of the project documentation. I think this needs to occur in two places:

• an ADR that says we use namespaces and what we intend them to be used for (ADRs are written for project collaborators to establish baseline expectations). The ADR should give some rationale and background for why we found it necessary to add namespaces.
• an explanation written for SSVC adopters/implementers that summarizes the ADR more succinctly and declaratively (doesn't need as much rationale, just "here's what we are doing" with enough "why" to motivate the topic.