Hacker News new | past | comments | ask | show | jobs | submit login

They say that iCloud Keychain on iOS 12 and Safari 12 have implemented this feature.

And sure enough, https://www.icloud.com/.well-known/change-password

Looking through the referenced RFC, there's a whole raft of "well known" urls that are registered


How widely adopted are these?

GnuPG can use /.well-known/openpgpkey since 2.1.12, and it is used by default since 2.1.23, when you do --lookup-key.


  $ gpg --lookup-key foo@example.org
will include among the places searched /.well-known/openpgpkey/hu/<some-sort-of-hash-looking-thing>?l=foo at example.org It also looks at /.well-known/openpgpkey/policy.

Toss in "-auto-key-locate=clear,wkd,nodefault" to force it to look there for the key even if it already has a key for that email address.

<some-sort-of-hash-looking-thing> is ZBase32(SHA1(localPart)) and the standard is described here: https://wiki.gnupg.org/WKD

If one controls a domain, has HTTPS set up and uses PGP this is the easiest and most secure way to host a key (`gpg --list-keys --with-wkd $KEY` shows the hash value).

Enigmail, Mailpile, Mailvelope will automatically discover the key when composing an e-mail. ProtonMail is also working on integration of WKD with their web mail.

The one that Apple's browsers request on every domain isn't even in the list:


That's the only .well-known request we have in our logs from the last year or more. Seems to be looking for an app associated with our site.

Aside from that, I don't know anyone or anything else using .well-known. Seems to be an Apple thing.

WebFinger, a key underlying tech of the Fediverse and used for bootstrapping OpenID Connect, ActivityPub, and many other standards uses .well-known.


I think LetsEncrypt uses it, no?

Yes, /.well-known/acme-challenge is used by LetsEncrypt.

Yes, also Keybase.

Yes, also OpenID Connect.

sadly only for discovery. but it would be great if oauth/openid connect would actually use .well-known/authorize, etc. instead each provider has it's own sauce.

The discussion was about specs/standards for .Well-Known. I pointed out that Apple's isn't in the list.

In that context I don't follow why you think linking to Apple's development guide helps clarify anything? It still isn't a specified standard, and still isn't on the list of them.

You stated you were unsure what it was. The link clarifies that.

And it is a specified standard: the link is the specification. It's not a standard developed by a multi-stakeholder standards organization, but there are other kinds of standards, too.

It really has no utility outside of Apple's app ecosystem, so why would you want it to become a standard?

looks like the change was proposed by an apple WebKit developer:


which would explain why apple has implemented it...

Yup, hi.

Regardless of what happens, thank you for trying to make the web a better place.

they are not well known

As a site owner, how many of those should you handle?

Already do special handling of acme-challenge for Let's Encrypt/ACME but that's a given.

As a site owner the main thing you should do about .well-known is be aware that it's special and so e.g. if you add a feature where users get a vanity page at www.example.com/username you shouldn't let them have the username .well-known

The leading dot is there both because that is already special in POSIX and because there's a good chance your validation whitelisting already forbids leading dots, just like newlines, slashes and other characters we can expect to cause mayhem. So this was a less dangerous choice than just well-known without the dot.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact