Behavior for malformed/invalid requests is not specified

[grishka]

The base specification does not say what a server or a FASP should do upon receiving a request that

• Contains malformed JSON
• Contains valid JSON, but lacks a required field or does not make sense in some other way like an invalid combination of some properties or an empty array where a non-empty one is expected

I suggest that the first case should be a 400 Bad Request, the second could either be the same or 422 Unprocessable Entity.