Why doesn't NIP-96 have the authorization event commit to the upload hash? It *seems* like it should, but I guess it's not *necessary* because of https? It would actually be cool to not require https, since https (effectively) implies reliance on centralized CAs and DNS.