MUST support SOAP 1.2
MUST support XML-DSIG [XMLDSIG], a.k.a. RFC3275. In future we may introduce simpler schemes like Simple Web Token [Hardt09]. Using TLS connection stream as an audit trail element is impractical due to volume and inability of implementations to capture it. TLS stream as audit trail may also lead to inadvertent collateral disclosure.
MUST support Exclusive XML Canonicalization [XML-EXC-C14N] for purposed of [XMLDSIG].
MAY support simple sign [SAML2SimpleSign]. In future we will support Simple Web Token [Hardt09] which is very similar to simple sign.
MUST support XML-Enc [XMLENC] for protection of NameIDs and attributes, including bootstraps, as well as assertions, against an active intermediary. The common case in question is a SP that is about to make a web service call. To make such call, the SP must obtain from the discovery service a token that is passed to the web service provider. XML-Enc support allows the discovery service to pass in the encrypted token the pseudonym, and potentially some sensitive attributes, to the web service provider without the intermediary, SP in this case, being able to snoop on this confidential information. This case can not be solved using TLS alone as TLS is point-to-point and for this case TAS3 architecture necessarily specifies an active intermediary.