We plan to make several adjustments to the default profiles and security mechanisms used for new installs. These will not impact upgrades when done in accordance with the documentation.
The three widely agreed changes included:
- disable SAML 1 by default
- disable attribute queries by default
- removing default support for use of PKIX at runtime
The tenatively agreed change is to switch the default XML encryption algorithm to AES-GCM. This is more open to discussion because it guarantees some effort by deployers to override that default for a variety of services, likely permanently.