Begin to address William's feedback.

* Require that `name` conform to the normalization rules, and include a link
* Require that `version` conform to the version specs, and include a link
* RFC 3399 instead of ISO 8601 as the timestamp spec.  The RFC is a simpler format that subsets the
  ISO standard, and is more appropriate to our use case.
* Adjust the gentoken() algorithm to be more resistant to tomfoolery.  This may still change.
* Require `filename` to conform to either the source or binary distribution file name convention,
  and include links

Author: warsaw

peps/pep-0694.rst

@@ -339,10 +339,15 @@ The request includes the following top-level keys:
     ``api-version`` the value of which must be the string ``"2.0"``.
 
 ``name`` (**required**)
-    The name of the project that this session is attempting to release a new version of.
+    The name of the project that this session is attempting to release a new version of.  The name
+    **MUST** conform to the `standard package name format
+    <https://packaging.python.org/en/latest/specifications/name-normalization/#name-normalization>`__
+    and the server **MUST** normalize the name.
 
 ``version`` (**required**)
-    The version of the project that this session is attempting to add files to.
+    The version of the project that this session is attempting to add files to.  The version string
+    **MUST** conform to the `packaging version
+    <https://packaging.python.org/en/latest/specifications/version-specifiers/>`_ specification.
 
 ``nonce`` (**optional**)
     An additional client-side string input to the
@@ -414,13 +419,14 @@ the following keys:
     If the index does *not* support stage previewing, this key **MUST** be omitted.
 
 ``expires-at``
-    An ISO8601 formatted timestamp string representing when the server will expire this session,
-    and thus all of its content, including any uploaded files and the URL links related to the
-    session. The session **SHOULD** remain active until at least this time
-    unless the client itself has canceled or published the session. Servers **MAY** choose to
-    extend this expiration time, but should never move it earlier.
-    Clients can query the :ref:`session status <session-status>`
-    to get the current expiration time of the session.
+    An :rfc:`3339` formatted timestamp string; this string **MUST** represent a UTC timestamp using the
+    "Zulu" (i.e. ``Z``) marker, and use only whole seconds (i.e. no fractional seconds).  This
+    timestamp represents when the server will expire this session, and thus all of its content,
+    including any uploaded files and the URL links related to the session. The session **SHOULD**
+    remain active until at least this time unless the client itself has canceled or published the
+    session. Servers **MAY** choose to extend this expiration time, but should never move it
+    earlier.  Clients can query the :ref:`session status <session-status>` to get the current
+    expiration time of the session.
 
 ``status``
     A string that contains one of ``pending``, ``published``, ``error``, or ``canceled``,
@@ -585,8 +591,8 @@ following Python code as an example:
 
     def gentoken(name: bytes, version: bytes, nonce: bytes = b''):
         h = sha256()
-        h.update(name)
-        h.update(version)
+        h.update(f'{len(name)}'.encode('ascii') + name)
+        h.update(f'{len(version)}'.encode('ascii') + version)
         h.update(nonce)
         return h.hexdigest()
 
@@ -634,7 +640,14 @@ The request looks like:
 Besides the standard ``meta`` key, the request JSON has the following additional keys:
 
 ``filename`` (**required**)
-    The name of the file being uploaded.
+    The name of the file being uploaded.  The filename **MUST** conform to either the `source
+    distribution file name specification
+    <https://packaging.python.org/en/latest/specifications/source-distribution-format/#source-distribution-file-name>`_
+    or the `binary distribution file name convention
+    <https://packaging.python.org/en/latest/specifications/binary-distribution-format/#file-name-convention>`_.
+    Indexes **SHOULD** validate these file names at the time of the request, returning a ``400 Bad
+    Request`` error code, as described in the :ref:`session-errors` section when the file names do
+    not conform.
 
 ``size`` (**required**)
     The size in bytes of the file being uploaded.
@@ -722,9 +735,10 @@ the following keys:
     indicating the current state of the File Upload Session.
 
 ``expires-at``
-    An ISO8601 formatted timestamp string representing when the server will expire this File Upload Session.
-    The session **SHOULD** remain active until at least this time
-    unless the client cancels or completes it. Servers **MAY** choose to
+    An :rfc:`3339` formatted timestamp string representing when the server will expire this File Upload
+    Session.  This string **MUST** represent a UTC timestamp using the "Zulu" (i.e. ``Z``) marker,
+    and use only whole seconds (i.e. no fractional seconds).  The session **SHOULD** remain active
+    until at least this time unless the client cancels or completes it. Servers **MAY** choose to
     extend this expiration time, but should never move it earlier.
 
 ``mechanism``