Note, I'm not objecting to the text, much like in the other case, just
suggesting it may not belong here.
This seems like a good errata for core, more than a specific addition to
this profile. I agree that the current text doesn't read all that well.
implies that the IdP has to return an error, but it doesn't come out and
it, so I think we should clean that up.
I will add a PE to my backlog.
In the case of HoK Web Browser SSO, the problem is likely associated
with the X.509 certificate obtained from TLS client auth (so the
RequestUnsupported status code is relevant, I think).
In some cases, sure, but I don't think we need to require it. As a matter of
interop, there aren't many cases where mandating a second level status is
worth bothering with.
There's not much we can do about this in the HoK Web Browser SSO
Profile except to perhaps RECOMMEND to the client to use a DER-encoded
certificate. I doubt that recommendation is gonna make much
Based on the feedback I'm getting, it pretty much makes no difference. The
problem is that if people get non-DER certs, they're stuck with them. That's
kind of the problem here.