Why doesn't NIP-96 have the authorization event commit to the upload hash? It *seems* like it should, but I guess it's not *necessary* because of https? It would actually be cool to not require https, since https (effectively) implies reliance on centralized CAs and DNS.
Discussion
Blossom knows what's up https://github.com/hzrd149/blossom/blob/master/buds/02.md
Ah nvm it's there but optional https://github.com/nostr-protocol/nips/blob/master/96.md#auth
Not sure how I missed that on my first reading.