OriPekelman
commented
10 years ago Current spec as far as I can see does not allow for apis.json to live anywhere but the root. It does allow for other FDQN, and here the discussion gets somewhat weird around authority. I have no idea why you delve into this. If you want "authority" and believe this to be imporant you should be authoritative to your FQDN and basta. Nothing else. If this is a security mecanism I do not believe this is a good one. I would even say this is a very very bad one. You must at least mandate that apis.json be served only on HTTPS is this is a security thing. Or you must implment some signing mecanisme. Beware the "security theater" here.
I believe this part to be defensive and over-engineered. I can't really see the use case and what are we defending againts.