Subject: Does encryption need to be called out as MTI?
Three generic encrypted elements are found within the SAML 2.0 CD. 1) <saml:EncryptedID> 2) <saml:EncryptedAssertion> 3) <saml:EncryptedAttribute> I am omitting those elements/attributes that are specific to particular protocols (e.g., Name Identifier mapping). It is not always clear to me (perhaps with the exception of <saml:EncryptedID>) when conformant implementations should be ready to create or consume these encrypted elements. I would propose the following text to be added to the conformance document: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Conformant implementations MUST be able to process or generate the following encrypted elements: 1) <saml:EncryptedID>, 2) <saml:EncryptedAssertion> 3) <saml:EncryptedAttribute> in any context where they are required to process or generate the corresponding unencrypted elements 1) <saml:NameID>, 2) <saml:Assertion>, 3) <saml:Attribute>.