Index of Normative Statements

[bumblefudge]

1. Are all the MUSTS capitalized that should be? Are any of the musts currently not capitalized actually not normative requirements?
2. Is it worth adding a feature-branch to spec-up that automates this, or are we going to manually index the norm statements at each major version?
3. There are a few MUSTs in the Security and Privacy Considerations section, which are traditionally non-normative sections at W3C and appendices (thus also non-normative) at IETF. Maybe they could be softened to SHOULDs? For instance, 4.3 seems to reiterate a normative statement already made earlier, and as for 4.4, I have to wonder if there isn't some corner-case imaginable where Access-Control-Allow-Origin not being set to * would be defensible...