Untitled

=====
===== This is a working proposal draft and is subject to change.
=====

Endpoint: https://sessionserver.mojang.com/session/minecraft/npc/{uuid}?name={name}&texture={texid}

Validations:
 - uuid is a Type 2 UUID (java.util.UUID#getVersion())
 - name does NOT match ^[a-zA-Z0-9_]{2,16}$ (valid username regex)
 - texid is 64 hexdigits

Returns:
Profile with the provided uuid and name, and this 'textures' Property, signed:
{"timestamp":-1,"profileId":"{uuid}","profileName":"{name}","isStatic":true,"textures":{"SKIN":{"url":"http://textures.minecraft.net/texture/{texid}"}}}

-----

Client behavior:
These validations should always be made:
 - signature matches value
 - profileId matches entity Id
 - profileName matches player name
Upon seeing a GameProfile from the server, when a 'secure' profile is required (player skins, as opposed to skull textures), the following validations should be made:
 - Profile does not define isPublic to be true
 - If profile defines isStatic to be true:
     - uuid is a Type 2 UUID (java.util.UUID#getVersion())
     - player name does NOT match ^[a-zA-Z0-9_]{2,16}$ (valid username regex)
 - Otherwise:
     - The skin blob is no more than 1 week old

-----

Notes:
Type 2 UUIDs must be made with the UUID(long, long) constructor. I expect server implementations to provide a helper method to generate these.
Type 2 UUIDs are currently defined as 'DCE Security' UUIDs, but I believe it is safe to repurpose them in this way. They're barely mentioned in RFC 4122, and the RFC does not include details on how to make them.
I sincerely hope nobody stays on a server for a whole week. As we already saw, people will stay on them for a whole day.
Servers and server plugins SHOULD cache the results of this request, with an expiration date of the next Minecraft or plugin version.
Servers and server plugins SHOULD make all necessary requests to this endpoint on their first run, if feasible, or as soon as they know it is needed.