The FedID Working Group and Community Group are trying to resolve a long-standing question on alternatives to .well-known on the apex domain. There is a new proposal under discussion, but the groups have stalled on the best architectural pattern for the web. While using .well-known is technically easy, but implementation-wise, it is not easy for identity providers that do not have direct control of that file.

So, the immediate question is: What is the pattern (or, is there a pattern) for an item that MUST have a cardinality of 1 on the registrable domain? FedCM requires one endpoint for user+relyingParty privacy. Today, the FedCM spec uses the apex domain, which has operational considerations (see the meeting notes from 7 April 2026 for the most recent CG/WG discussion on the matter). We are examining:

1. using an underscored prefixed DNS name (_web-identity.<domain>) or
2. using a non-underscored prefixed DNS name through HTTP (web-identity.<domain>).

Does TAG have a preferred pattern for problems like this or have any considerations for choosing between these options?

We also have a question on the use of an underscored prefixed DNS name open with IETF DNSOPS (see https://mailarchive.ietf.org/arch/msg/dnsop/aLACo0YpxJezsvlXZipp9aL0mFs/.

The AT Protocol group is discussing a similar and related topic here

<!-- Content below this is maintained by @w3c-tag-bot -->

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1217