No, in fact I don't. But this post wouldn't be of any help anyway. It feels like it's about nothing, there is no substance, just stating some obvious facts. Without examples that lead to some real recommendations, this whole expertise claimed by the author is of no use.
That's harsh. I believe the author really does get questions from people who want to register a well known path, and probably some of them really failed to consider sites with ~user paths or whathaveyou and this post might push them to use a better solution.
And if you read that and still feel confident that you want a well known url, he links you to the registration process.
Does a change-password registry actually get used, even by bots? I don't see bots checking for a .well-known/change-password url on my sites. It seems a good place to put public configs, just to have a place for them, but not as a means of discovery.
One disappointment you can't help but feel, having worked in technology a while, is about how people solve the same problems over and over in redundant and subtly incompatible ways.
How do you associate metadata with a public name? A SRV record! No, a TXT record! No, a meta tag! No, data attributes! No, an X.509 attribute! No, a random file at top level! No, a well known file under some schema! No, ...
It goes on forever. We're left with a mishmash of mechanisms and lowest common denominator support for them all.
It would be nice if we picked an extension mechanism and maximally enhanced it rather than having everyone invent his own
I do think it is important to have autonomous discoverability with domain-anchored trust, whether through .well-known or DNS records or DNS over HTTP. It looks like cloudflare has already added a bunch of observability into their products around this area, and I am investigating too [1]. It seems like the number of services needing these, and the amount needed per org should both go up with more agentic use cases.
I believe auth.md is also a recent example that uses .well-known
17 comments
[ 2.6 ms ] story [ 43.0 ms ] threadWhy password-reset instead of a more generic link tree?
Why discord domain verification instead of domain-verifications with a dynamic list on entries?
Seems like a waste of time. I would just define my own spec outside of well known for my use case.
Let's stop polluting the root of a domain!
[1] https://llmstxt.org/
And if you read that and still feel confident that you want a well known url, he links you to the registration process.
Alternative, no SNI required
https://web.archive.org/web/20260619061625if_/https://mnot.n...
It's great
https://www.ietf.org/archive/id/draft-stein-tls-ech-consider...
How do you associate metadata with a public name? A SRV record! No, a TXT record! No, a meta tag! No, data attributes! No, an X.509 attribute! No, a random file at top level! No, a well known file under some schema! No, ...
It goes on forever. We're left with a mishmash of mechanisms and lowest common denominator support for them all.
It would be nice if we picked an extension mechanism and maximally enhanced it rather than having everyone invent his own
I believe auth.md is also a recent example that uses .well-known
[1] https://instagrate-me.sudoscience.dev/