Any feedback on the below draft?
Since you seem to really want feedback: Although no byte sequences can be counted on to consistently identify SAML objects, i.e. assertions and/or protocol messages, they will contain either one, or both of, the strings: urn:oasis:names:tc:SAML:1.0:assertion urn:oasis:names:tc:SAML:1.0:protocol to identify the SAML XML namespace(s). Aren't these supposed to be well-formed XML, and thus also likely to have the same [BOM]<?xml initial sequence discussed in RFC 3023? Is the root element of a SAML body expected to be in one of the SAML namespaces, or just 'anywhere in the tree at any depth'? I'm puzzled by the applicability statement: Application protocols capable of conveying MIME entities, such as HTTP [3], SHOULD use the media type defined in this document when conveying SAML-defined objects. and wonder why it was made, since 'application/saml+xml' doesn't seem to appear in the SAML document on bindings. Why does it matter? Larry -- http://larry.masinter.net