I'm familiar with RFC 8615. It says:
Note that this specification defines neither how to determine the hostname to use to find the well-known URI for a particular application, nor the scope of the metadata discovered by dereferencing the well-known URI; both should be defined by the application itself. I am seeking advice on this (hostname) aspect of the problem, which RFC 8615 specifies is out of its scope. Specifically, I am evaluating whether/how to use DNS to indicate the authoritative hostname for a registrable domain through an RFC 8552 "Underscored and Globally Scoped DNS Node Names" . Thanks, Will ________________________________ From: S Moonesamy <[email protected]> Sent: Wednesday, April 8, 2026 11:44 AM To: Will Bartlett <[email protected]>; [email protected] <[email protected]> Subject: [EXTERNAL] Re: [DNSOP] Advice sought: DNS record type for FedCM well-known file delegation [You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi Will, At 05:03 PM 06-04-2026, Will Bartlett wrote: >The W3C Federated Identity CG/WG is working on >FedCM (Federated Credential Management), a >browser API for federated authentication. The >spec currently requires Identity Providers to >host a .well-known/web-identity file at the >registrable domain (apex). This requirement is >privacy driven - in order to ensure Identity >Providers are unaware of Relying Parties until >user consent is granted, Identity Providers must >not be permitted to use per-Relying Party >configuration files. In other words, each >registrable domain must have a single >configuration file. Hosting a file at the apex >is operationally problematic when the apex is >operated by a different service than the >authentication service - a common setup where >login.example.com CNAMEs to a white-label auth >provider while the apex serves a marketing site, storefront, etc. >We're considering using DNS to let IDPs indicate >where the well-known data lives. We have four >candidate approaches and would appreciate >guidance on which is most appropriate, or if another pattern is appropriate: I took a quick look at the web API. It uses "well-known locations" (RFC 8615). I suggest starting from that RFC. Regards, S. Moonesamy
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
