And sure enough, https://www.icloud.com/.well-known/change-password
Looking through the referenced RFC, there's a whole raft of "well known" urls that are registered
How widely adopted are these?
$ gpg --lookup-key email@example.com
Toss in "-auto-key-locate=clear,wkd,nodefault" to force it to look there for the key even if it already has a key for that email address.
If one controls a domain, has HTTPS set up and uses PGP this is the easiest and most secure way to host a key (`gpg --list-keys --with-wkd $KEY` shows the hash value).
Enigmail, Mailpile, Mailvelope will automatically discover the key when composing an e-mail. ProtonMail is also working on integration of WKD with their web mail.
That's the only .well-known request we have in our logs from the last year or more. Seems to be looking for an app associated with our site.
Aside from that, I don't know anyone or anything else using .well-known. Seems to be an Apple thing.
In that context I don't follow why you think linking to Apple's development guide helps clarify anything? It still isn't a specified standard, and still isn't on the list of them.
And it is a specified standard: the link is the specification. It's not a standard developed by a multi-stakeholder standards organization, but there are other kinds of standards, too.
which would explain why apple has implemented it...
Already do special handling of acme-challenge for Let's Encrypt/ACME but that's a given.
The leading dot is there both because that is already special in POSIX and because there's a good chance your validation whitelisting already forbids leading dots, just like newlines, slashes and other characters we can expect to cause mayhem. So this was a less dangerous choice than just well-known without the dot.