Sec. 4.1, 5th paragraph, lists several specific extensions that must be supported by the endpoint. It doesn't use normative language. It also leaves it to implementers to go through possible extensions and through each parameter they define, and decide which is applicable. This is ripe for interop and security issues. I suggest to include a closed list of extensions instead, and allow new extensions to mention that they apply to this endpoint.
Sec. 4.1, 5th paragraph, lists several specific extensions that must be supported by the endpoint. It doesn't use normative language. It also leaves it to implementers to go through possible extensions and through each parameter they define, and decide which is applicable. This is ripe for interop and security issues. I suggest to include a closed list of extensions instead, and allow new extensions to mention that they apply to this endpoint.