Just to clarify from my larger comments in the original issue thread, there are two cases with hosted badges to handle:
issuer.json on exampleplatform.net claims to issue badges on behalf of trusteduniversity.edu (this case is an example of using an issuing platform. Q: how can a badge system declare which issuing platform is authentic?)
issuer.json, badgeclass.json, and badgeimg.png are hosted on example.com, and an untrustworthy scoundrel hosts an assertion that references them on a different domain. (Off the top of my head, I can't think of any legitimate uses of this structure for which to make allowances.)
Thread was originally started here: https://github.com/mozilla/openbadges/issues/1003