Relaying this here for Mads, who had this to say after the MDS changed to using pyFF/pyXMLSecurity:
Is there a reason we should know for using a non-exclusive canonicalization method for the SignedInfo, but an exclusive one for the transform of the referenced document?
The metadata spec says: "SAML implementations SHOULD use Exclusive Canonicalization, with or without comments, both in the <ds:CanonicalizationMethod> element of <ds:SignedInfo>, and as a <ds:Transform>..."
Relaying this here for Mads, who had this to say after the MDS changed to using pyFF/pyXMLSecurity: